Okta hacked, again! Cloudflare, 1Password, BeyondTrust and more affected!
Lessons learned from the latest Okta compromise and steps to improve your own posture.
Update 10/24/23: It seems now that 1Password has been affected as well.
Ok, here we are again. Another supply chain attack on a super critical piece of security software everyone uses. Both Cloudflare and BeyondTrust were downstream targets in this round.
In March 2022, Okta’s same support systems were compromised by the LAPSUS$ hacking group.
❓Questions For Okta Post Security Compromise
This whole incident brings up a few questions for consideration:
What has Okta learned from past mistakes?
What have WE learned as customers of Okta?
Why was Okta so slow to respond?
What assurance do we have this will not keep happening?
What alternatives do we have?
Okta Table Stakes Security Mistakes
I’m really upset because as a security company they made, IMHO, some gross errors and mistakes, including:
They did not detect the incident themselves which tells me their security operations is a bit lax
They seemingly IGNORED an incident report from a customer (who happened to be a security identity company)
It seems like they have not implemented some security best practices out there themselves like using hardware keys, limiting sessions timeout, or using contextual authentication (a feature of their platform!)
Read more recommendations here: https://www.lastweekasavciso.com/p/root-cause-of-mgm-hack-and-how-it
For a critical security service provider like Okta, we believe following these best practices is table stakes.
🔐Recommendations For Okta: Take a report of compromise seriously
Security Category: Incident Response
It took them almost 2 WEEKS to react to the compromise! Two weeks is a LONG time for an attacker to be roaming around an identity company.
It’s like having someone with access to the valet key closet at an expensive hotel.
Okta should review incident response protocols and communication plans and retrain all staff on incident response procedures.
🗣️Sponsored: Need help with your SOC 2, PCI, or ISO plan?
Purchase software from Cloud Security Labs, and get 1 month of white glove onboarding support and vCISO services ($5k+ value).
🔐Recommendations For Okta: Reduce Time To Detection 💪🏼
Security Category: Security Operations
As a security company, that is core to the downstream identity of tens of thousands of other companies and millions of login requests daily, there is an inherent responsibility to have good security.
Startup time is over.
As such, Okta should beef up their security operations and capabilities to DETECT real-time threats and unauthorized access.
Looks like there’s a tool for that! 😅
🔐Recommendations For Okta: Hire More Security Engineers?
Security Category: Security Engineering & Architecture
In March of 2023, it was reported that Okta fired it’s Red Team and removed the function altogether.
Now, 7 months later, a quick glance at Okta’s careers page shows at least 6 positions open.
Maybe they should include a detection and response engineer?
Okta should implement PREVENTATIVE security measures throughout it’s infrastructure and implement more fine grained access controls for support staff and engineers.
🎯The Future For Okta Security
It’s obvious the attackers have optimized attacking Okta. Okta has a HUGE target on it’s head because of it’s central role as an authentication provider and on top is making a lot of junior mistakes.
Attackers are persistent, and Okta is a public company worried about the bottom line, so it’s a little distracted.
Additionally, there are a ton of tools out there now for testing and hacking Okta so the threat landscape is increasing. (See bottom of post)
⚠️Warning: Service Providers Beware
As you can see service providers are the common target in these cases. A supply chain attack on supply chain providers, very meta.
If you are a service provider, DO NOT RELY on external entities anymore for your security. Gone are the times that we absolve ourselves of security responsibility to our 3rd parties. No, we need to build our own capabilities.
Below are some recommendations from Cloudflare. These are general guidelines that can also be applied for general authentication practices.
I would also say, be careful how you handle HAR files or maybe even limit the use of HAR files in the first place. That is A LOT of sensitive information to have.
Sometimes I feel like I’m repeating myself, but we all know in psychology that it takes someone 6 or 7 times for them to internalize something.
Maybe Okta needs to hear this a few times?
Below are some additional recommendations:
Okta Security Tools:
Need Information Security Support?
Schedule a call today to get flexible and expert support no matter the size.