How did the Okta breach happen?
In a recent security breach, a threat actor with stolen credentials was able to access Okta’s support case management system. That support case management system contained several HAR files, or HTTP Archive files, in support tickets. A HAR file is a JSON-based file format that records and stores detailed information about the interactions between a web browser and a website. While these kinds of files are often used to troubleshoot performance issues, they also tend to contain sensitive information like session tokens. If that information isn’t removed or redacted, it’s possible that threat actors could use it as part of a privilege escalation attack—which is precisely what happened with Okta.
Once the threat actor had access to Okta’s support case management system, they located HAR files from customers like BeyondTrust, Cloudflare, and 1Password. The threat actor then used session tokens in that HAR file to masquerade as an in-house Okta admin. Within 30 minutes after sharing the HAR file, BeyondTrust observed unusual attempted login activity. Cloudflare and 1Password also reported similar suspicious activity.
Upon hearing about the breach, Okta traced the leaked credentials back to their customer service admin, revoked all embedded session tokens, and notified all customers whose HAR files were exposed. All in all, only about 1% of Okta customers were affected by the breach.
What can we learn?
What do you need to know to protect your business’ credentials and session tokens? Let’s dive right in.
1. Safeguard your sensitive credentials from the most common attacks
First and foremost, it’s vital to train your employees about the most popular types of attacks that target credentials. According to Verizon’s 2023 Data Breach Report, nearly 50% of all data breaches involved stolen credentials. Stolen credentials are also the main target of 76% of social engineering attacks. Social engineering attacks may take many different forms, including the following:
- Phishing: Phishing makes up nearly half of all social engineering attacks. Why, you may ask? Because it involves successfully tricking targets into providing PII, PCI, credentials, or other sensitive data via email, fake websites (”spoofing”), voice calls (”vishing”), text (”smishing”), or even customer service messages (”angler phishing”).
- Pretexting: Threat actors will often create a deceptively believable narrative to fool targets into “verifying” their identity or otherwise supplying sensitive information. For instance, a threat actor posing as a bank employee might ask a target to provide their social security number or credit card number to “verify” their account. This kind of attack constitutes nearly 60% of social engineering attempts.
- Business Email Compromise (BEC): While BECs technically fall under the “pretexting” umbrella, they represent an outsized number of social engineering attacks overall. According to Verizon, BECs are incredibly effective because they “can be targeted internally, meaning that the attacker will leverage a compromised employee’s email account to target their own organization by impersonating the user.”
When it comes to phishing, pretexting, and other social engineering attacks involving stolen credentials, employees are a company’s “first line of defense.” It’s necessary for companies to equip employees with the tools they need by training them how to identify and flag the most common kinds of social engineering attacks. Read this blog post to learn why security training still matters, as well as how to build a robust remote security playbook.
2. Always, always authenticate
Multi-Factor Authentication (MFA) is always a must. MFA requires a given user to verify their identity via a code, hardware key, or other method. In the case of the Okta breach, MFA features proved incredibly useful to customers like BeyondTrust and Cloudflare by helping them to identify the breach more quickly.
In BeyondTrust’s case, they pinpointed the threat actor thanks to company policies that “only allowed access to the admin console from managed devices with Okta Verify installed.” This highlights the importance of Identity and access management (IAM) in order to prevent unauthorized access to company systems. As we discussed above, passwords are often susceptible to targeted phishing and social engineering attacks, and, therefore, require an additional layer of protection.
In Cloudflare’s case, they relied on zero trust principles and MFA requiring hardware keys to identify the threat actor early on. “Zero trust” is a philosophy that assumes that no user or device is inherently trustworthy, and that access should be verified and authorized for every interaction. Nightfall can help enforce zero trust by providing robust scanning capabilities to identify and protect sensitive data from exposure. Check out our in-depth blog post to learn more about how Nightfall can help achieve a zero trust security stance.
For both BeyondTrust and Cloudflare, MFA and IAM features played an instrumental part in swiftly detecting and containing a threat actor. Even when credentials were compromised, MFA methods were successful in preventing unauthorized access to company servers.
3. Scan and scrub your HAR files
Customers should only send HAR (HTTP Archive) files when absolutely necessary. HAR files are, in essence, a record of the interactions between a web browser and a web server—which means that they often contain sensitive information such as credentials, session tokens, and more.
If you must send HAR files for troubleshooting or support purposes, Okta suggests “sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.” While scrubbing sensitive data from HAR files may daunting task at first, Nightfall has several robust scanning capabilities that can stop data sprawl in its tracks.
Here are four ways in which Nightfall could help to remediate the sensitive data found in HAR files:
- Scan data at rest: Nightfall’s AI-powered detection engine can pinpoint PII, PHI, PCI, secrets, and keys that are stored in SaaS apps like Zendesk. Historical scans are a crucial component to ensuring continuous compliance with leading industry frameworks like HIPAA, SOC 2, ISO 27001, and more. Try our free data-at-rest scanner for Zendesk to assess your risk today.
- Scan SaaS apps: Customers tend to “overshare” sensitive information in support tickets in hopes that it might help them resolve issues more quickly. In this case, it’s vital to scan incoming tickets in real time to minimize the risk of sensitive data exposure via HAR files. Nightfall for SaaS is uniquely positioned to do just this as it connects seamlessly with Zendesk and other SaaS apps over APIs. Once connected, Nightfall’s detection engine helps to discover and protect sensitive data through context-rich alerting and convenient remediation options.
- Scan files programmatically: Set up a webhook server to scan HAR files for sensitive data. Follow Nightfall’s step-by-step guide in this blog post.
- Scan files in the Nightfall Playground: Try Nightfall’s dedicated Playground environment for a chance to detect PII, PHI, PCI, secrets, credentials, and more within individual HAR files.
Visit this dedicated blog post to learn more about the risks posed by the sensitive data in HAR files—as well as how Nightfall can help to mitigate them.
What are key takeaways?
The recent Okta breach serves as a crucial reminder to protect sensitive information like credentials and session tokens. In light of this incident, businesses should prioritize employee education, encourage the use of multi-factor authentication, and provide convenient ways to scan and secure HAR files. By taking these proactive measures into account, organizations can successfully strengthen their defenses against potential threats.