Redirecting you to
Click if you are not redirected within 5 seconds
USD
Support
Contact Us
Podcast Feb 19, 2024

Root Causes 363: Defending Yourself Against Use of Stolen Priveleges

CloudFlare recently published details of an attack it suffered as a downstream effect of a November 2023 breach against Okta and what it did to nullify its success. We discuss the steps enterprises can take to protect themselves against malicious use of stolen access credentials.

  • Original Broadcast Date: February 19, 2024

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Ok. So we're going to go back a little bit in time to November 29, 2023. November of 2023. There was a breach at Okta. So what happened there?

  • Jason Soroko

    Yeah. So, you know, in terms of the root causes to all of that, I think what's important to note, Tim, is that - this is Okta saying this through their blog - basically all of their customers, or pretty much all their customers had some level of information that was taken by bad actors. Right. And I think that Okta is saying, look, it's limited in terms of what was in that information and, you know, we're admitting that information is now out, but you know, it's not like it's credit card information or some kind of incredibly important PII. Right? Like that's what they're saying, I think.

    But, you know, Tim, what I find interesting is when you, you know, I'm just trying to sense the reverberations, right? If this was really a non-event, then fine. Maybe we won't really hear much about it. But I would say this.

    Here's what I do want to say about it. Is that if you're an Okta customer, and I'm not here to knock Okta. And that's why I'm not going through the details of exactly what happened because you can read for yourself. What this blog is about and what's important is the bad guys are going to be collecting as much information as they can about the consumers of all these technologies. And so if you are in the business of procuring IAM, you know, identity provider type of information, kind of technology, if you're procuring that and that's kind of adds up to everybody, Tim.

  • Tim Callan

    Sure.

  • Jason Soroko

    That's pretty much everybody, in some sense, whether you're on Active Directory, whether you're in Okta, whether you're in one of the other players in that space. My goodness, that's a goldmine for anybody who wants to go off and do attacks.

  • Tim Callan

    Yep.

  • Jason Soroko

    Even if it's a little bit of information. And so the theme of this podcast is really security through obscurity. Thinking that information about the customers and your usage, even from a support standpoint of any of these vendors, you should just consider that the bad guys have that information in their back pocket.

  • Tim Callan

    Right.

  • Jason Soroko

    And again, that's no knock to Okta. It's no knock to Microsoft Active Directory. It’s no knock to anybody who does those things. I think everybody should just assume all those guys have given up that information or could or will. Just assume it. And so what does that cause you to do? It causes you to do some of the things that actually Cloudflare talks about because they've now written a couple blogs on how they have mitigated the Okta compromise. And so Cloudflare recently talked, had a blog, which actually talked about a breach about an internal wiki. And so they also claimed, hey, good for us. We had terrific zero trust security technology that allowed us to protect ourselves against that beachhead that the bad guys were able to get into.

  • Tim Callan

    And let me jump in here real quick. If you want to read about this, it's on the Cloudflare blog. There's a February 1, 2024 blog post. The headline is Thanksgiving 2023 Security Incident. So they're going back to the same timeframe and they're talking about what they experienced, which really was enabled by this Okta incident that we talked about. So go on Jay.

  • Jason Soroko

    Yeah. Thank you very much, Tim, for that. So there is a blog that Cloudflare has called How Cloudflare Mitigated Yet Another Okta Compromise, and you can see that they're getting a little bit miffed with some of these things, because, you know, we had talked about an Okta compromise back in 2022. I think that was Root Causes 217. And this is this is yet another one, right? And so how did it affect them?

    Well, the bad guys were able to establish a beachhead, not get any further. Thank goodness Cloudflare is a security conscious company. Maybe others who were Okta companies might not be so lucky. So there were issues, right. And what were the issues?

    Well, there might have been keys that weren't rotated. There might have been accounts that might not have been changed sufficiently that the bad guys had information about and so they could target it. I think that's what happened in the Cloudflare case.

    So what is Cloudflare saying? I think that the heart of what I want to repeat here on this podcast, which is regardless of what IDP system or IAM system you are using, you should monitor for new user creation and reactivation of users that have been deactivated, obviously. Making sure all sessions have the authentication settings that were associated with it that are actually happening. Are there any permission changes, especially MFA policy overrides, MFA removals? Do you see any delegation of sensitive applications? You know, and then of course, you know, the last bullet point they have here, which is the supply chain providers. If they're accessing your tenants, well, are you monitoring those very specifically, because a lot of times, the bad guys will use them as a weak link in the chain. And there are many, many other things to do here. But that's the core of it. And to me, watching out for those real simple, primitive activities in your IDP, in your IAM, those are the contexts with which if you can catch that, you'll catch the attack, because that's what the bad guys are doing. That's how the bad guys will step up their privileges. If you assume that everybody knows who your users are, and what maybe their basic privileges are, what they have access to, what their MFA policies are, for example, then you should be absolutely making sure that the correct context to those changes are staying in place. And if you see something like an MFA removal against an account that had been around for a while, well, guess what - that's a sign of something strange. Ask the user if they did it and if not, hey, ring the alarm bell. Something probably bad happened. Somebody might be walking around with that person's credentials.

    And so I guess what it comes down to Tim is the lesson learned here and the homework to do. The lesson learned is Cloudflare can't even trust its IDP, and I don't think anybody should, and the way to not trust them is to do the homework of monitoring for those contexts - The escalation of privileges or the downgrades of policy settings and permission settings with respect to MFA policy overrides and things like this. Those are the key things to look after, Tim. Assume that information is in the bad guy’s back pocket, and I think you're better off.

  • Tim Callan

    All right. Ok. So again, Thanksgiving 2023 security incident on the Cloudflare if you want to read about this Okta episode. November 29, 2023 from Okta, it’s called October Customer Support Security Incident Update and Recommended Actions. So, yeah. It’s been a lot of security stuff and breaches in the news lately and Jason, thank you for getting us up to speed on this one.

  • Jason Soroko

    Thank you, Tim.

  • Tim Callan

    This has been Root Causes.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All Root Causes