On March 22nd, 2022, the LAPSUS$ hacker group surprised us by sharing screenshots of OKTA’s penetrated environment. But for customers of OKTA, reality didn’t set in until OKTA admitted to the incident. Then, we find out Microsoft was hit. The top two market leaders in identity management are held to a certain standard by customers. So it is understandable how such a series of events can suck all the optimism from customers, customers who rely on these cloud service providers for business-critical duties every day.
In the era when cybercrime is a highly lucrative business, and numerous security companies are in the business of trying to stop it, customers seem to be in a never-ending losing battle— between the ever growing fear of being the next victim of a cybercrime and the exponentially growing amount of security services they must consume. However, all these customers are searching for is peace of mind.
That peace of mind comes when customers are proactive in ensuring that even if they become the victim of a cybercrime, they know they will bounce back quickly, within hours, because they have Digital Identity Resilience. DIR (Digital Identity Resilience) brings peace of mind to all the customers who rely on SaaS service providers to maintain their cloud services. The innovative approach accSenSe brings to the market allows customers to concentrate on what is important to them – running their business while ensuring their identities are fully protected.
Let’s deep dive into the benefits accSenSe brings.
The fundamental functionality accSenSe brings is continuous data protection for OKTA customers. By subscribing to accSenSe cloud service, customers can backup all their OKTA tenants. Backups are constantly running in 10 minutes intervals and are stored as long as needed, up to indefinite retention. accSenSe will backup all objects and relationships in the protected tenants, thus allowing customers easy options for recovery, sandboxing, and regulatory compliance. “Easy to navigate” dashboard and email alerts are available to confirm everything is up and running per the agreed SLA.
Frequent, always running backups bring additional benefits to accSenSe customers. It allows easy comparison between different points in time in the OKTA configuration. This approach is instrumental while investigating potential security breaches or tracking changes in the environment
As we just saw, accSenSe is a great tool to keep track of changes in the OKTA system, and it only gets better with the additional level of depth it offers.
Let’s look at the scenario when an employee leaves the company and their user account gets deactivated.
A malicious hacker finds that this user was recently deactivated and proceeds to re-activate the user to gain access into the company’s environment.
We can see that accSenSe tracks and monitors changes for each property on each object. In our example, we see there was a change to the following properties on this specific user:
The attacker activates the user and then sets a temporary password for them. The events for these types of changes are:
After setting a temporary password, the attacker can log in and change the password with a new one. The following events happen in OKTA but are continuously tracked by accSenSe. They can easily be found in the history section for a selected user:
- user.session.start (where the actor is the newly activated user)
- policy.evaluate_sign_on (allow)
- app.oauth2.token.grant.id_token (success)
- user.authentication.sso (successful)
Now the attacker can log in into OKTA with the fake credential created.
Now that the attacker gets the user-activated and can change the role for the user, the event that states this role grant is:
- and also, in the debug data for the same event, we can see the new role that this user has
Every change that the attacker made in OKTA is tracked by accSenSe. We can review the admin’s object details on the accSenSe continuity page. The role this user has been given is shown below:
After all these changes are complete, the attacker has full access to a new account with a super admin privilege, and now has full control of this OKTA tenant.
Given the sensitivity of the identity management systems and latest events, it’s understandable that many OKTA customers feel vulnerable. Fortunately, that vulnerable feeling can be put at ease with Digital Identity Resilience. accSenSe is the only product on the market that can bring peace of mind to OKTA customers. With any point-in-time backups, infinite retention, change tracking, and deep-dive investigation capabilities.
Writer: accSenSe Product and Customer Success teams.