Okta Breach
Yiftach Keshet
Apr 10, 2022

The Okta Breach – Lessons Only the Attackers Can Teach

“There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going to do. No one but the enemy will ever teach you how to destroy and conquer. Only the enemy shows you where you are weak. Only the enemy shows you where he is strong. And the rules of the game are what you can do to him and what you can stop him from doing to you.”
(Ender’s Game, Orson Scott Card)

While the recently disclosed attack on Okta appeared to be limited in scope and impact, it nevertheless provides key insights into the critical role the use of compromised credentials played in this breach. Placing this breach within the overall context of today’s threat landscape reveals that user identities have become a top targeted attack surface. How should this change in the threat actors’ playbook impact our security architecture and practices so we can win against attacks that employ user accounts as their main attack vectors? In this article, we explore the key lessons that the Lapsus$ threat actors have taught us in this breach and how we can use these lessons to enhance the resilience of our environments to identity threats.

A short recap of the Okta breach

Attackers from the Lapsus$ attacking group managed to compromise an endpoint of a third party support engineer via RDP. Following the endpoint’s compromise, the attackers disabled the endpoint protection agent and downloaded various tools such as ProcessHacker and Mimikatz. They then used these tools on the compromised endpoint to get credentials for the O365 account, associated with a company the third party service provider acquired in August 2021. Once this access was obtained, the attackers created a new account and configured a rule to forward all mail to this account, potentially impacting 366 Okta customers.

Key takeaways for security stakeholders:

Lesson #1: Attackers target your weaknesses

So what has the enemy taught us through this breach? We believe… a lot. First and foremost we were reminded (nothing new) that the chain is only as strong as its weakest link and that attackers initially target these weak links to ultimately access what’s behind the stronger ones. Based on the attack flow we’ve described, let’s look at the weaker links Lapsus$ threat actors have targeted to launch their attack:

Weakness #1: Addition of new M&A environments

Nothing new here, but still a useful reminder. Mergers and acquisitions are an integral part of the business lifecycle. That said, there is no easy way to absorb one live IT environment into another one. While there are no easy solutions here, security teams should take a page from the attackers’ playbook and dedicate increased attention to these new portions of their networks, since they are the most likely to be targeted.

Weakness #2: Supply chain and third party access

The modern enterprise IT environment is an ecosystem, not a standalone entity. That means that by design people are connecting to your environment from machines you don’t manage with security practices that might not align with yours, while you remain accountable for a breach that occurs because of them. At the end of the day, the only aspect of the supply chain ecosystem that you can control is the access policy and the requirements 3rd parties should fulfill to be trusted.

Weakness #3: Cloud resources in a hybrid environment are exposed to attacks originating from on-prem machines

At the end of the day, even if you’re cloud-native and digitally transformed there will be non-web resources either interfacing with your environment or being an actual part of it. The most intuitive example is the workstations your employees use to connect to SaaS applications and cloud workloads. If such a workstation is compromised, attackers can easily get their hands on the stored credentials and advance their presence, not only to additional machines on-prem but also to SaaS applications and cloud workloads.

Examining these weaknesses reveals that they are not on the magnitude of an unpatched vulnerability or misconfigured policy. They cannot be simply eliminated with a click of a button and are not a result of any security malpractice. Rather they are inherent to the infrastructure of any IT environment.

Lesson #2: Compromised credentials were the attack’s backbone

While each of the first two weaknesses opens the environment to several types of attacks, the third weakness – exposure of cloud resources to attacks originating from the on-prem environment – radically intensifies their impact. Compromised credentials played a dual role in this attack. First, in the initial access to the compromised machine, and second, in accessing O365. So, it’s the identity attack vector that wove the three weaknesses into an extremely effective attack that puts at risk resources that appear to be under high protection.

Lesson #3: An identity attack surface can only be protected when unified

Dispersed identity protection creates blind spots. If remote access via RDP is protected by the VPN provider, SaaS login by CASB and internal connection between on-prem machines by an EDR attackers will bypass them one by one. The better alternative is to centrally monitor and protect every authentication and access attempt, so a detected risk in a user login to one resource enables restriction of this user’s access to all other resources as well.

Every security stakeholder can take away from this analysis one simple truth: in today’s enterprise environment, identity is the key attack surface. And our security architectures must adjust, respond, and become native to this insight if we wish to gain the upper hand in the battle against cyber attackers.

Stopping the enemy

The Okta breach spotlights a trend that has been slowly increasing in recent years. Attackers favor launching identity-based attacks, using compromised credentials to access targeted resources. And they do so because this attack vector is the least guarded in today’s enterprise environment. The response from our side should be to acknowledge that the identity is a critical attack surface and protect it accordingly – with real-time prevention, detection, response to identity threats on-prem and in the cloud, that applies equally to RDP connection to remote workstations, web login to a SaaS application, and command-line access to an on-prem server.

About Silverfort

Silverfort has pioneered the first Identity Threat Protection platform purpose-built for real-time prevention, detection, and response to identity-based attacks that utilize compromised credentials to access targeted resources. Silverfort prevents these attacks through continuous monitoring, risk analysis and real-time enforcement of Zero Trust access policies on every user, system, and environment on-prem and in the cloud.

Learn more about Silverfort identity threat protection.