VentureBeat presents: AI Unleashed – An exclusive executive event for enterprise data leaders. Network and learn with industry peers. Learn More
Showing how fragile digital identities are even for a leading provider of identity and access management (IAM) solutions, Okta’s security breach, acknowledged by the company on October 20, began with stolen credentials used to gain access to its support management system. From there, attackers gained access to HTTP Archive (.HAR) files that contain active session cookies and began breaching Okta’s customers, attempting to penetrate their networks and exfiltrate data.
Daniel Spicer, Ivanti’s chief security officer (CSO told VentureBeat, “Many IT team members, even those who are security-conscious, don’t think about what information they share with vendor support teams because they are ‘trusted.’ Security teams need to interview their IT teams to understand what data they commonly have to share to resolve support cases.” Spicer advises, “You should also inspect the output for automatically generated troubleshooting data from sensitive systems. You could find anything from certificates and credentials to PII in those data sets.”
Attackers exploited trust in privileged credentials
Attackers worked fast to use stolen session cookies and tokens from HAR files to impersonate legitimate users and attempt to gain unauthorized access to Okta’s customers’ systems. Okta customers BeyondTrust, Cloudflare, and 1Password — who collectively serve tens of thousands of organizations and customers, including some of the world’s largest and most important — immediately detected unusual activity, including new account creation and changes in administrative permissions. Each of these customers discovered the breach weeks before Okta did, immediately alerting their identity management vendor. It took Zoom calls and shared data results with Okta for the latter to confirm the breach, weeks later.
In an ironic twist for Okta, whose marketing slogan is everything starts with identity. Its customers detected attempted breaches immediately when unauthorized attempts were made to access high-privilege Okta accounts using a stolen session cookie from a recently uploaded HAR file.
An exclusive invite-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.
Stolen cookies and compromised tokens
Identity security company BeyondTrust’s blog post says that on October 2, it detected an unauthorized attempt to access a high-privilege Okta account using a stolen session cookie from a recently uploaded HAR file.
BeyondTrust realized the breach attempt came just 30 minutes after one of their admins shared the HAR file with Okta support. Attackers were using the stolen cookie to try and create a new administrative Okta profile in the BeyondTrust environment.
On October 18, Cloudflare noticed attacks originating from Okta and traced them back to a compromised authentication token. Cloudflare used its systems to detect attackers attempting to leverage an active, open Okta session to gain access to Cloudflare. Attackers had moved fast in the Cloudflare environment and had already managed to compromise two separate Cloudflare employee accounts within their Okta instance.
1Password detected suspicious activity on its Okta instance on September 29 when its internal systems identified a successful account takeover of one of its staff’s Okta accounts that had privileged access. 1Password was also able to trace the attack to a cookie harvested from the exfiltrated HAR file intercepted from the Okta support management system.
The attacker gained access to 1Password’s Okta administrative capabilities. 1Password’s security incident report provides more details about the attack. 1Password also rotated IT members’ credentials and switched to using Yubikey for multi-factor authentication (MFA) internally.
Attackers’ tradecraft prioritizes identity breaches
Identities continue to be a favorite attack surface because attackers, criminal gangs, and advanced persistent threat (APT) organizations know identities are the ultimate control surface. Seventy-eight percent of enterprises say identity-based breaches have directly impacted their business operations, and of those enterprises breached, 96% now believe they could have avoided a breach if they had adopted identity-based zero-trust safeguards earlier. Forrester found that 80% of all security breaches start with privileged credential abuse.
Delinea’s survey on securing identities found that 84% of organizations experienced an identity-related breach in the last 18 months. Gartner found that 75% of security failures are attributable to human error in managing access privileges and identities.
The last several high-profile cyberattacks share the common trait of capitalizing on the weaknesses of how identities and their privileged access credentials are managed. Okta’s assumption — that enabling HAR files to be shared with its support management system was secure — makes the point clear.
Any assumption of trust in how identities and access credentials are used needs to be replaced with verification and visibility. Attackers have long been targeting the gaps in endpoint security and identity management to take advantage of assumed trust in endpoint agents. Their goal is to capture privileged access credentials and penetrate infrastructure to perform reconnaissance, install malware, and exfiltrate data for financial gain.
Zero trust demands controls and visibility
Okta’s unfortunate breach shows how ingenious attackers are in exploiting any opportunity there is to steal privileged access credentials, down to intercepting Okta session cookies and attempting attacks with live sessions. The attempted breach illustrates why the core concepts of zero trust have immediate practical benefits.
Zero trust, predicated on least privilege access, auditing and tracking every transaction, use of resources, and workflow, must be given in every interaction across a network. By definition, zero trust security is a framework that defines all devices, identities, systems, and users as untrustworthy by default. All require authentication, authorization, and continuous validation before being granted access to applications and data.
The zero trust framework protects against external and internal threats by logging and inspecting all network traffic, limiting and controlling access, and verifying and securing network resources. The National Institute of Standards and Technology (NIST) has created a standard on zero trust, NIST 800-207, that provides prescriptive guidance to enterprises and governments implementing the framework.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.