A thread on the (suspected) Okta compromise from an incident response perspective 🧵

#okta #LAPSUS$ #dfir #incidentresponse
1. Collect and preserve all Okta logs, focus on the Okta System Log as it's the main audit trail for Okta activities
Need more info on this log check (developer.okta.com/docs/reference…)
2. Search your audit log for suspicious activity focus on your superuser/admin Okta accounts as they pose the largest risk
3. Rotate passwords for high-privileged accounts, at this stage it might be a bit early to rotate passwords for all users
4. If you outsource (parts) of your Okta deployment check in with your vendor and make sure what 3rd party admin accounts are used and ask them for support
5. Check if you currently have Okta support access enabled, you might want to disable that for the time being more info (help.okta.com/oie/en-us/Cont…)
6. Check for (privileged) accounts created around the time of the suspected breach - 21 January 2022
7. The CEO of Okta, just posted the following statement related to the alleged breach:
Check out some SIEM rules by @blueteamblog that you can use to search for Okta behavior
thanks for sharing!=
10. Piece by @josephfcox from Vice on the hack vice.com/en/article/jgm… in short screenshots in Telegram most likely related to 3rd party breach from January 2022 which was already investigated and resolved 👀
11. The official response from @okta raises more questions sec.okta.com/articles/2022/… ..
12. - "no evidence to date".. are they still investigating? Will there be updates later..
13. No further update at this moment in time, we are awaiting further information from Okta or other parties involved.
14. Some overlap with the earlier shared sigma/elastic security rules, but this is a nice repository with Okta security events for your hunting/log analysis by @hevnsnt thanks for sharing!
15. Updated statement by Okta see: okta.com/blog/2022/03/u…
16. Looking at the positive side, this might all be less serious. This is a strong statement to make.
17. However it can also be interpreted as contradictory with the bottom half of the statement as their might be impact for some customers. Our advice stay vigilant and keep an eye on the updates coming out of the Okta investigation.
18. This thread never stops it seems, now LAPSUS$ with an updated statement see screenshots.
19. Statement is from their Telegram group t.me/minsaudebr
20. Without inside knowledge we cannot really comment on the statement of LAPSUS$ itself. LAPSUS$ also recommends Okta hiring @Mandiant which is excellent advice, if they're too busy please let us know 😉
21. Okta has provided additional details in their statement (okta.com/blog/2022/03/u…) Most important from the statement in our opinion:
- 2,5% of clients impacted they are already contacted
- There will be a webinar by Okta's CSO on the incident, link to register in post.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Invictus Incident Response

Invictus Incident Response Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(