Okta Account Takeover

Try in Splunk Security Cloud

Description

The Okta Account Takeover analytic story encompasses a comprehensive suite of detections aimed at identifying unauthorized access and potential takeover attempts of Okta accounts. This collection leverages diverse data points and behavioral analytics to safeguard user identities and access within cloud environments. Monitor for activities and techniques associated with Account Takeover attacks against Okta tenants.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Change, Risk
• Last Updated: 2024-03-06
• Author: Michael Haag, Mauricio Velazco, Bhavin Patel, Splunk
• ID: 83a48657-8153-4580-adba-eb0b3a83244e

Narrative

Okta is a cloud-based identity management service that provides organizations with a secure way to manage user access to various applications and services. It enables single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and more, helping organizations streamline the user authentication process. Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, access sensitive applications, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential compromise of Okta accounts.

Detections

Name	Technique	Type
Okta Authentication Failed During MFA Challenge	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
Okta MFA Exhaustion Hunt	Brute Force	Hunting
Okta Mismatch Between Source and Response for Verify Push Request	Multi-Factor Authentication Request Generation	TTP
Okta Multi-Factor Authentication Disabled	Modify Authentication Process, Multi-Factor Authentication	TTP
Okta Multiple Accounts Locked Out	Brute Force	Anomaly
Okta Multiple Failed MFA Requests For User	Multi-Factor Authentication Request Generation	Anomaly
Okta Multiple Failed Requests to Access Applications	Web Session Cookie, Cloud Service Dashboard	Hunting
Okta Multiple Users Failing To Authenticate From Ip	Password Spraying	Anomaly
Okta New API Token Created	Valid Accounts, Default Accounts	TTP
Okta New Device Enrolled on Account	Account Manipulation, Device Registration	TTP
Okta Phishing Detection with FastPass Origin Check	Valid Accounts, Default Accounts, Modify Authentication Process	TTP
Okta Risk Threshold Exceeded	Valid Accounts, Brute Force	Correlation
Okta Successful Single Factor Authentication	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	Anomaly
Okta Suspicious Activity Reported	Valid Accounts, Default Accounts	TTP
Okta Suspicious Use of a Session Cookie	Steal Web Session Cookie	Anomaly
Okta ThreatInsight Threat Detected	Valid Accounts, Cloud Accounts	Anomaly
Okta Unauthorized Access to Application	Cloud Account	Anomaly
Okta User Logins from Multiple Cities	Cloud Accounts	Anomaly

Reference

• https://attack.mitre.org/techniques/T1586/
• https://www.imperva.com/learn/application-security/account-takeover-ato/
• https://www.barracuda.com/glossary/account-takeover
• https://www.okta.com/customer-identity/

source | version: 1