Introduction
This is the second blog post in our blog series focused on cyber investigations for identity and access management providers. You can read the first blog post on this series here: Investigate Microsoft EntraID identities in minutes.
Okta is one of the most used identity providers with various identity and access management solutions. Like other IDAM providers, Okta is a valuable resource for starting identity investigations. Impactful identity and authorization patterns including user password changes, password policies, multi-factor authentication (MFA) alerts and application consent grants can be reviewed on Okta during investigations.
In the previous blog post, we initiated our identity investigation from known leads (two user names on an HR watch list). In this post, we’ll follow a similar investigation flow starting from Okta alerts ingested by Command Zero. While we can expand any investigation to other data sources, I'll keep the focus on Okta to simplify this example flow.
Act 1: Reviewing Okta alerts & kicking off the investigation
Command Zero presents alerts from connected data sources for analysts to review and investigate interesting patterns. For this example, let’s take a look at the recent Okta alerts:
As an investigation is initiated from these two alerts, Command Zero starts interrogating relevant data sources to gather more information about these initial leads. The purpose of these initial questions is to save analysts time and incorporate some of the best practices by asking the right questions for every investigation.
Once the answers to initial questions are received, Command Zero renames this investigation to “Suspicious Activity Reports from Multiple Users in Winnipeg, Canada”. The platform also generates an initial analysis of the investigation too:
Act 2: Getting more answers from Okta
Understanding the current and historical context of leads is key to prioritize the right cases and to focus on the right paths within investigations. As we dive into this investigation, we can quickly review the user information on Okta, past investigations, notes and tags for this lead to get up to speed.
Once we understand the details about the lead, it is easier to determine how to continue the investigation. In this case, we’d like to dig deeper into successful sign-ins for Kiki:
After reviewing Okta login events, the analyst doubles down on the four distinct IPs that the user used to login. Understanding the geolocation, ownership and additional insights for these IPs will help determine the nature of these logins, as well as prove or disprove an account compromise for Kiki, the user under investigation.
Act 3: Investigating suspicious IPs
For every lead in an investigation, the analyst is presented with two main options:
- Ask individual questions from the pre-built knowledge base on Command Zero,
- Run a facet (a dynamic playbook with a pre-built sequence of questions).
For this example, the analyst wants to kickstart the analysis by running facets:
In addition to Okta, the analyst queries IP Info as an enrichment source for these IPs. IP Info delivers important information including known malicious IPs and the type of IPs.
The analyst reviews additional sign-in activity from these IP addresses. And finds that a second user, Patti was also likely compromised by the same actors. This lead is added to the investigation for further analysis:
As the investigation expands to cover Patti, the analyst finds out that this was a user created by the attacker using Kiki’s administrative privileges. While it’s hard to pinpoint the reason why, Patti was likely a means to persistent access to the environment in case the initial access gets discovered.
Act 4: Building the case narrative, timeline and reporting
In the short span of a couple of minutes, Okta alerts led to an interesting investigation and discovery of a password spray attack that resulted in account takeover. Here’s the high-level narrative:
- An attacker using a tor exit node started a password spray attack targeting Kiki, one of the Okta administrators.
- The attacker gained access to Kiki’s account, using administrator privileges to create a new account: Patti.
- The attacker kept logging into these two accounts using three distinct IP addresses (all tor exit nodes) over the course of a month.
By selecting the noteworthy items, the analyst quickly builds the event timeline on Command Zero:
Once the investigation is complete, the analyst can generate an automated investigation report:
Conclusion
Tier-2 and tier-3 analysts, threat hunters and incident responders can investigate Okta identities by interrogating Okta and other data sources easily with Command Zero. In this investigation flow, the analyst started an investigation from multiple Okta alerts, expanded the investigation to additional suspicious leads and completed the investigation after determining the complete narrative, building the timeline and the report for this incident.
Please check out our identity-based investigations page and use case demo to learn more.