Okta and Splunk Combine to Detect Common Attacks
In an ideal world, every security function would have a Detection Engineering team.
Regrettably, even organizations that are stewards of highly sensitive data often can’t afford (or don’t prioritize) the capabilities required for effective security monitoring. There can be a misconception that cloud service providers are doing the monitoring for them.
It's a challenge that Okta Security wants to help address. Whenever we write a detection for our own purposes (we use Okta, too!), there’s an untapped opportunity to use those detections to help other Okta customers prevent or respond to security incidents that stem from common credential-based attacks.
So we’ve decided to publish our detection logic. Right here! (Scroll down!)
Publishing raw detection logic will suit many of our customers. But we recognize that publishing them here won’t reach everybody, and it still puts the onus on customers to tune or adapt the detections.
That’s where mutual friends come in handy.
Over the past few months, Okta’s Defensive Cyber Operations team has shared bespoke detection logic with security analytics/SIEM providers, requesting the logic be baked into their content libraries “out of the box.”
The first of those discussions has already borne fruit with Splunk, the security analytics platform chosen most often by Okta customers, thanks to the assistance of James Brodsky, Splunk’s GVP for Security Strategy and Splunk Senior Threat Researcher Michael Haag.
As of Splunk Enterprise Security Content Update (ESCU) v3.62.0, security teams that ingest Okta System Log events into the Splunk platform can run and modify an initial set of bespoke detections in Splunk® Enterprise Security developed by Okta’s Defensive Cyber Operations team. James and Michael have tweaked these raw detections to make them more legible and applicable to a broader number of our mutual customers.
The Splunk update enhances their pre-existing analytic stories for Okta, and includes new approaches to detecting:
- Session Hijacking via phishing for initial access
- Post-compromise activity by threat actors abusing a stolen session token
- Abuse of Push MFA (including “MFA Fatigue” attacks)
- Credential Stuffing
- Password Spray attacks
All of these detections are relevant to Okta Identity Engine (not the Classic Engine).
The logic for each is presented below:
Okta Phishing Detection with FastPass Origin Check
Suspicious Use of an Okta Session Cookie
Multiple Failed Requests to Access Okta Applications
Mismatch Between Source and Response for Verify Push Request
ThreatInsight Alert: Login Failure with High Unknown Users
ThreatInsight Alert: Suspected Password Spray Attack
Magic like this happens when best-in-class providers of security tools share knowledge, without any agenda outside of protecting our mutual customers.
A huge thanks to the authors and contributors in this initial effort:
- James Brodsky (Splunk)
- Scott Dermott (Okta)
- Michael Haag (Splunk)
- John Murphy (Okta)
- Felicity Robson (Okta)
- Jordan Ruocco (Okta)
To learn more, Splunk and Okta are hosting a joint session at .conf23, the annual Splunk conference, scheduled for July 17-20, 2023 in Las Vegas.