Here, we are providing an open-sourced checklist to help guide an organization through the March 22, 2022 Okta event, from a Red Teamer’s point-of-view: https://github.com/neuvikredteam/PurpleTeam-Checklists/blob/main/IdP-Breach-Checklist.md
This week, there was a confirmed, report that Okta was breached by the Lapsus$ hacking group. As far as we know, the group is not believed to be a state-sponsored actor. Organizations, however, now face two challenges: (1) the impact of an IdP breach, and (2) the fact that a non-Nation State actor has demonstrated what would otherwise be categorized as a Nation-State capability. What to do now?
At Neuvik, we see two options as possible:
- Option one: Don’t panic, do nothing for now, and attend to the things that are still the most critical: systems patching, logging, baselining, and the like. We still see organizations that have yet to address the list of Top 20 critical vulnerabilities from 2021, let alone many of those from this year.
- Option two: Immediately address the risk. Here’s how:
(A) Create a Threat Model to address the issues at hand. A few to consider would be (1) STRIDE leaning heavily into the spoofing/tampering elements, (2) Trike with the IdP marked as an attacker, (3) OCTAVE for overall organizational risk.
When performing threat modeling, it’s also important to consider the actions that can be taken by a dedicated insider or a rogue component. Not only will this help to catch insider threats, but it also gives valuable insights into outcomes from post-breach actions taken by attackers.
The reality is OpenIDConnect IdPs are considered an emerging technology to far too many people. This creates uncertainty when working to resolve a scenario such as this one. We believe sharing our learnings through our Emerging Technologies and Cloud Penetration Red Team practice is critical to helping the industry better protect itself.
(B) Use a quick checklist to get started to understand if your IdP service provider has been breached. To help, we developed a quick checklist and published it on GitHub.
https://github.com/neuvikredteam/PurpleTeam-Checklists/blob/main/IdP-Breach-Checklist.md
We understand blog posts can be static, old, and maybe not continuously updated, so feel free to contribute. A few notes: Do we accept Pull Requests? Yes. Do we place a “Thank You” contribution to any organization in the space that contributes? Yes. This industry, like any other, is a scientific one. It is made better through more sharing, learning, and understanding, not less.
Events should be expected. Breaches like this are the ones we all try to avoid.
Frequently Asked Questions:
What about Zero Trust Architecture? Can we leverage Zero Trust Architecture in a scenario in which, at the heart of it, the IdP, is now not trustworthy itself?
This is an emerging and ongoing question. This will depend greatly on the basics, how much telemetry and monitoring do you have? Do you have proper segmentation and controls? Can an attacker overwrite or move around your rules solely because they have an elevated account? If so, is that in it itself a problem? If you would like to talk move about these types of issues, run an assessment, or run through a threat model, feel free to reach out to us at Neuvik.
Should we ditch Okta?
Not at this time. There are people in the industry that are comparing this event to the RSA Breach or other large authentication breaches. Currently, there is no reason to believe that Okta is any more or less secure than other IdPs. Making a drastic move like switching IdPs should be done with planning and much consideration. Will Okta suffer the same fate as RSA? Hard to tell, RSA did not keep up with the times.
Shouldn’t we go back to On-Premise Active Directory Domain Services and ditch IdPs in the cloud?
No. This is tempting, isn’t it? Questions to ask yourself. Can you federate your local system to 3rd parties? Can you harden and maintain a hardened environment that is better protected than a company dedicated to this? Can you actually keep Active Directory hardened?
Neuvik will continually update this post as the situation unfolds.