The Okta HAR Hijacking
I
Welcome
to
The CISO Signal
The CISO Signal
True
cyber
crime
podcast.
I'm
Jeremy
Ladner.
On this
episode,
we
take you
to late
2023.
In the
vast,
interconnected
architecture
of
digital
commerce.
There is no
more
sacred
commodity
than
identity.
It is
the
passport,
the key,
the first
line
of defense.
And for
thousands
of the
world's
most
powerful
enterprises
and
organizations.
That
foundation
is
entrusted
to one
company.
One name.
We all know...
Okta.
They
are the
guardians
of the
gate,
the sentinels
of the
sign on
the
system,
built
on a
simple,
singular
premise.
Trust
through
centralization.
But
what happens
when the
keeper of
the keys
is
compromised?
What happens
when the
central
sanctuary
designed
to manage
risk
suddenly
becomes
the
largest
risk
of all?
In the
twilight
of
Okta
unknowingly
let
the enemy
in.
Not
through a
frontal
assault,
but
through
an
overlooked,
unguarded
side
door.
And
for a company
that had
already
weathered
the storm
of
previous
attacks,
this was
not just
a
new breach.
It was a
further
devastating
and
embarrassing
erosion
of trust.
The enemy
was not
after
random
raw data
or
ransom.
They were
after
the keys
to
the back
door
of every
one of
Okta's
customers.
Joining us
to
break down
the breach
is our
CISO
co-host,
Oren Zenescu
Oren Zenescu
a
seasoned
security
leader
with over
15 years
of
experience
defending
enterprises
across
finance,
gaming
and high
tech.
Oren
has
served
as global
CISO at
Altshuler
Shaham
and now
leads
security
worldwide
at Plarium
while
also
contributing
to the
Team8
CISO
village,
a global
community
of cyber
executives
driving
industry
innovation.
Oren
Welcome
to
The CISO Signal
The CISO Signal
It's
so great
to
have you
on the
show.
Sure.
Thank you
very
much.
Excellent.
Is there
anything
you want
to add
to
your bio?
Any
background
you want to
share
with
the audience
before
we get
started?
I think
that you...
pretty
pretty
much
summed it
up
pretty
good.
Excellent.
It's
great
to
have you
with us.
And now
let's
begin the
investigation.
We are
in the
midst
of a
ceaseless
war,
not of
bombs
or
bullets.
But of
breaches,
firewalls
and
silent
incursions.
The targets.
Our borders
are
banks,
our
commerce
and the
critical
infrastructure
that
underpins
a free
civilization.
The enemy
is
cloaked
in code,
fueled
by greed,
glory,
and a
desire
for
chaos.
This is
the
story of
the
unseen
protectors,
the
nameless
generals,
the
CISOs,
chief
information
security
officers.
They are
the
guardians
at the
gate.
Watchers
on the
wall.
Ever
vigilant
and
always
listening
for
The CISO Signal
The CISO Signal
One
of the
interesting
things
about the
this
particular
Okta breach...
and we know
that
previous
to this,
and
I think
in 2022,
this this
occurred
in 2023
and 2022.
There
were a
couple
other
breaches
for Okta,
but
there is
this sort
of quiet
lying in
wait
time,
this
dwell
time of a
couple
weeks.
We just
recorded
an
episode
this
morning
for the
Colonial
Pipeline,
where
Colonial
Pipeline
reacted
really,
really
quickly.
That was
almost
a 24
hours
later.
They shut
everything
down.
Whether
you agree
with that
or think
it's an
overreaction
with
Okta,
this was
a couple week
delay
kind of
blind
spot.
The Okta
The attackers
in the
Okta
breech
had access
for again
nearly
two
weeks.
Would
you say
in
your experience,
what are some
of the
systemic
issues
that could
create
a blind
spot
that lasts
that
long,
even for
a
security
focused company?
So
I think
that the,
we have
to be
humble
and modest
when
we come
to
criticize
or
examine,
how
a certain
company
reacted
to a
certain
incident.
Definitely
a company
like Okta,
which
is a
security
company,
which
I'm
sure has
great
security
staff
in place,
great
CISO
in place
and has
a lot
of budget
to secure
stuff.
And
and yet
again, it
suffered,
several
security
incidents.
I think
that
regarding
Okta,
because
it
actually
one
of the
core
pillars
of, of
authentication
of, of
many
organizations
worldwide,
definitely
organization
that are
using,
SSO
policy.
It's it's
really
hard
to
understand
the
extent
of a
certain
attack.
And it's
even
harder,
to react
appropriately
and to
really
thoroughly
revoke
access
and,
and,
you know,
react
and
contain
the damage.
So such
companies
need
to be
very
cautious
with what
they are
saying
from
liability,
but also
from
accessibility
and
availability.
Of,
of
the customers
that
they are
serving.
So
if Okta
is
serving
as the
identity
provider
of a
company,
and
this company
now
cannot
use Okta
because
of it,
said,
okay,
we had a
breach,
now
we need
in order
to react to
it.
We need to
shut down
everything
until
we understand
the damage
and the
extent.
Then,
the
damage
actually,
amplifies
and, and,
you know,
become
even
worse
because
now this
company
not only
doesn't
know if
their data
was
exfiltrated
exfiltrated
or not,
now
they cannot
even log
into their systems.
So
you need
to be
extra
cautious
with that
and
and show
that the
Okta did
the best,
to react
appropriately.
But
you know
incidents
happen
and it's
part
of the,
assumption
that we
all have
to, live
according
to,
which is,
it's not
a matter
of if,
but when.
And
we
need to
be ready.
Act I.
The Human
Flaw.
To
understand
this
breach,
we must
first
discard
the old allegories.
This
was not a
frontal
assault
on
a fortress
wall.
It was not
a brute
force
attack on
a heavy
iron
door.
This was
something
far more
subtle
and far
more
human.
This was
a supply
chain
compromise
launched
through
the
smallest,
most
overlooked
vulnerability
in any
corporate
infrastructure.
The person
on the
inside,
the initial breach
did not
target
Okta's
sophisticated,
multilayered,
customer
facing
security
product.
It began
in
a place
far more
mundane
and
routine,
an Okta
employee’s
personal
life.
Somewhere
in those
twilight
hours
when
a work
laptop
transitions
to a
personal
laptop.
An employee
made a
fateful
convenience
decision
a single
shared
credential.
Perhaps
a service
account
was saved
in a
personal
account
on
a Chrome
browser.
A simple
phishing
email,
a stray
piece of
malware,
or a
credential
theft
targeting
that
personal
account
was all
it took.
The moment
that
personal
account
was
compromised,
the attacker
didn't
just gain
access to
emails
and
photos,
they
gained
the
synchronized
credentials
for a
service
account
inside
the
Okta
support
environment.
The keys
to
the gate
had not
been
bypassed,
They had been
handed
over
unknowingly
by the
employee
themselves.
It was a
stark
and
sobering
lesson
in the
erosion
of the
digital
perimeter,
a
reminder
that in
the age
of work
from
anywhere,
the
security
architecture
now runs
through a
single
person's
browser
history.
Once
inside
the
support
environment,
on
September
28, 2023,
the attackers
moved
not like
hackers,
but like
highly
efficient
corporate
auditors.
They were
hunting
for
one thing
Http
archive
files or
HAR
files.
A HAR
file is a
technical
document
requested
by
support
teams.
It
records
the entire
conversation
between a
user's
browser
and the
web
service.
It's a
forensic
blueprint
of
a connection
issue.
Yet
nestled
deep
inside
this
routine
troubleshooting
log is a
catastrophic
secret.
The active
session
token
this
token
is not
a password.
It is not
an MFA
code.
It is
the living
proof
of a
successful
login.
It is
the digital
equivalent
of an
empty car
being
left
running
in the
driveway,
with the
driver's
license
on the
passenger
seat.
The attackers,
believed
to be the
highly
persistent
and
financially
motivated
group
known as
Scattered
Spider
or Octo
Tempest,
knew
exactly
where
to look.
They
sifted
through
the
innocuous
support
files,
found
the keys,
and
prepared
to use
them to
unlock
the
downstream
high
value
systems
of Okta's
customers.
The
entire
security
model
of the
modern
world
had
just been
quietly
undermined,
not by
a zero
day
exploit,
but by
an
...
unsanitized,
shared
troubleshooting
file.
Where
do you
think
most
companies
are still
falling
short
when it comes
to
managing
their
vendor
relationships?
So
they think
third
party
risk is
maybe
the most
overlooked
risk.
Not
because
companies
don't
recognize
it or
don't
know that
it's a
risk,
but
because
they cannot
really,
comprehend
the extent
of this
risk.
I mean,
all of us
are
sending,
you know,
vendor
questionnaires
looking
into,
Soc2
type tool
ISO 27001
certification,
etc.,
etc..
But,
it's like
it's like
if you
take the
analogy
of, of,
a thousand
window
building,
I mean,
the CISO
needs
to
secure
a
thousand
windows,
making
sure that
all of them
are
closed
and,
they are
not
breached
by
the attacker.
They need
to find
one open
window,
you know,
in order
to to get
into the company.
So
I think
that,
it's
very hard
to really
understand
from
questionnaires
from,
you know,
certification,
etc.,
what
exactly
the risks
are,
from your
vendor.
And
again,
if,
if you
look at
a vendor
like
Okta,
which is
probably
the
largest,
IDP
the word,
it's
probably
also the
most
attacked
one and
the most,
you know,
important
for, for
attackers
to, to
breach
and hack
in order
to get
access
to
thousands
or
thousands
of
thousands
of,
customers
in terms
of HAR
Files
and logs,
we know
that
they can
contain,
as you
mentioned
earlier,
all kinds
of
sensitive
information.
Should we
start
treating
all
support
uploads
and data
as
potential
leakage
points?
So
I guess
the right
answer is
it
depends.
So when
we're
conducting
threat
modeling
or risk
assessment
for a
certain
application
or system
that
there are
absolutely
certain
questions
we need
to ask
about
the system
to make
sure,
for
example,
that
the logs
doesn't
contain,
secrets.
Debugging
reports
don't
contain
any
sensitive
data
that we
use the
right
method.
In order
to
prevent
from,
keeping,
secrets
inside
the logs,
etcetera,
etc..
So,
I think
that's,
that's
the
right,
approach.
So it's
more
about
threat
modeling,
less
about
other,
activities.
Also,
it's
really
important
to
understand
what
exactly
applications
are you
looking
into,
etc..
And, and
you know,
this
is like
before
the
system
even
design
and after
it’s designed
So
you conduct
your
regular
risk
assessment
and,
you know,
other
than risk
assessment,
you can always
try to,
to
conduct,
penetration
tests,
or Red Team
and,
and try
to
understand
from
the attacker
point of view,
if you can
gain any,
advantage
from,
getting his
hands
on this,
this
kind of logs.
And then
you
need to
ask
yourself,
again,
for an
attacker
perspective,
what can an
attacker
do
with this
this
logs and
this
reports.
Act II.
The Two
Week
Silence,
the moment
of
compromise.
That
quiet
entry
on
September
28th
marked
the
beginning
of a
terrifying
two weeks
of
silence
from the
late days
of
September
through
the
middle
of
October.
The attackers
persistence
paid off.
They had access
and
they had
keys.
They were
not
noisy.
They were not
demanding
ransom
immediately.
They were
simply
exfiltrating
harvesting
the UN
sanitized
HAR files
uploaded
by
customers
seeking
help.
Imagine
a thief
with a
thousand
skeleton
keys to a
thousand
separate
neighboring
vaults.
These
stolen
session
tokens
were more
than
credentials.
They were
live
authentication.
They were
the
digital
breath
of a
logged
in user.
In the
world
of
identity
security.
Multi-factor
authentication
is the
deadbolt.
It's
everything
but the
session
token
stolen in
an HAR
file
allowed
the
adversary
to
simply
walk
around
the deadbolt
they had
stolen
the authenticated
session
itself.
And for
two
weeks,
while
the global
security
community
went
about its
business,
this
critical
infrastructure
company,
the
identity
backbone
for much
of the
world,
was
silently
compromised.
The logs
were not
screaming.
The alarms
were
not sounding.
The attacks
were
perfectly
masked
within
the
legitimate
permitted
access
of the
compromised
service
account.
The attacker
was
simply
living
off
the land
using
Okta's
own
workflows
against
itself.
The
question
is not
just how
they got
in, but
why did
no one
see them
operating
for 14
days?
This is
the great
paradox
of a
highly
centralized,
trusted
system.
When
a flaw
is
exposed
at
the core,
the ensuing
blind
spot
becomes
vast
and
total.
The
security
systems
were
designed
to
protect
the core
product.
They were
not
adequately
focused
on the
support
infrastructure.
That
essential
messy
human
layer,
where
files
are
shared
and trust
is
assumed.
The
very act
of
seeking
help from
a
security
vendor
became
the vector
for
an attack.
The silence
was only
broken on
October
13th.
Okta's
internal
team
detected
anomalous
behavior
a ripple
in the
digital
pond.
Far too
late,
but a
ripple
nonetheless.
An
investigation
began,
but
the scope
was
initially
contained
limited,
the
severity
understated.
But
the attackers
had
already moved
on.
They had
the
tokens,
the keys
to the
digital
crowns
of Okta’s
most
security
conscious
customers
were now
loose in
the world.
The long
silent
harvest
was over
and
the time
for the
attempted
break ins
had
begun.
The
most valuable
keys had
been
stolen
not in the dark
of night,
but
in the
brightly
lit,
trusted
environment
of
customer
support.
The first
breach
was
quiet.
The next would be
loud.
The
attack
was about
to leave
the
support
environment
and enter
the heart
of global
enterprise.
Okay,
so this
breach
was all
about
HAR
Files as
we talked
about
something
many of us
might not
think of
as high
risk.
What
other
routine
data
types
do you think
we might
be
overlooking
today?
So
basically
any kind
of,
troubleshooting
tool,
that is
being
used out
there
can have
the
possibility
to
contain
such
sensitive
files.
In HAR
it's
actually
pretty
simple.
I mean,
it's
a Json
file.
So
you can
just
go into
the Json,
look for
API
session
other
sensitive
keywords
and just
remove it
for other
tools.
It really
depends.
Usually
it's it's
a text
file.
So again
you can go
into
these tools,
make sure
that
this,
this
sensitive
keywords
do
not exist.
And
if they are
just
remove
it,
sanitize it
before
you
upload it
anywhere.
And
if you already
uploaded
it,
then
I would
also
expect
from
the other side
who
received it
to not
just,
secure
it,
but also
to make
sure that
he
doesn't,
keep
this the
sensitive
data
inside
of the file.
So maybe,
implement
automation
tools
to detect
and
remove
such kind
of
keywords.
If
if you're
actually
serving
customers
and you
keep
customers
data and
customers
files,
I would
also
expect
you to
not store
in
customer
PIR
customer,
secrets.
And
if you did
store
it
already
and
you have to
store it,
make it
a...
...
I mean,
don't
don't
keep it
for life.
Keep it
for like
five,
six days,
and
and
remove
it,
delete
it.
And once,
you know,
once you
kill a
certain
asset,
it cannot
expose
you
in the future.
But
once you
you
keep it
alive,
then it
can,
it can
expose
you in
the future.
It's
not the
again,
it’s not a
matter of
if
but but
when
it will
be
exposed.
So in
terms of
best
practices
for
session
token
lifespan,
how
aggressively
should
we be
forcing
re
authentication
in high
risk
environments.
How often
how how
short
should
the
lifespan
be.
So again
it really
depends
on the
organization
and the
risk
appetite.
I was
working
in
organization
not
as the CISO
but
as a consultant.
That
actually
had like
a very
long
lifespan
of token
because
user,
experience
was more
important
than,
the risk
of
someone
steal
this
session
token
and how
they used them,
and
that's
fine.
I mean,
as a CISO,
I'm
working
as a risk
manager
and not
working
as the
bodyguard
of
the company.
And
if the company
chooses,
to accept
this kind
of a
risk,
then
it's
their
their
their
choice.
It's
okay.
But
but
once this
decision
was made,
it's
really
important
to have
proper
mitigation
and
proper
...
risk,
assessment
in place
in order
to, to
react
to that.
Other
than
that,
I think
we should
always,
use the,
the zero
trust
approach
in that
those
cases
make it
as
minimal
as
possible.
And
again,
as, as
mentioned
before,
if,
if you have
certain
risky
sessions
or even
risky
application
or very
critical
application
reauthenticate
reauthenticate
it won't
be
confident
...
convenient
for
the user
at first,
but but
I think
that
users
will get
used to
that...
when they
were
trying
to open,
for
example,
their
password
manager,
like
1Password,
for
example.
They'll have
to
reauthenticate
reauthenticate
even
though
five
minutes
earlier
they,
they authenticated
the and
passed the,
the MFA,
...
challenge.
So
I think
that's,
it's
totally
up for
the CISO
to guide
the
company.
In that
cases.
But
again,
it's a
matter of
user
experience.
And,
so
you also
need
to take
that into
into your
consideration.
Act III
Act III
The
Customer's
Signal
the True
Story
of the
Okta
breach is
not about
how the
system
failed,
but about
which
customers
security
teams
were
mature
enough
to catch
the failure.
The pressure
to act
came not
from the
compromised
vendor,
but from
the
affected
clients.
On
October
2nd,
barely
three days
after the
initial
compromise,
the
identity
security
firm
BeyondTrust
BeyondTrust
detected
a
successful
attack
attempt
on an
internal
Okta
administrator
account.
The threat
actors
were
using
a stolen
session
cookie
from the
support
system
to
perform
an API
action
and
attempt
to create
a
backdoor
account.
BeyondTrust’s
BeyondTrust’s
security
team was
vigilant.
They neutralized
the
account,
and
critically,
they shared
their
forensic
findings
with Okta
support.
They had the evidence
and
they knew
that
the attack
came from
within
Okta's
environment.
This was
the moment
that the
vendor
was shown
the
smoking
gun by
the victim.
A similar
alarm
was
sounded
by
1Password
on
September
29th.
They
detected
and
terminated
suspicious
activity
on their
Okta
instance.
Almost
immediately,
they two
were on
the front
lines
of defense.
It took
over two
weeks,
a full
14 days
from the
initial
customer
detection
for Okta
to
finally
connect
the dots,
identifying
the
compromised
service
account
and go
public.
On
October
19th,
the damage
control
had
begun,
but
the collateral
damage
was
already
spreading.
Cloudflare
soon
confirmed
their own
incident,
and
attacker,
leveraging
a
compromised
authentication
token
from
the support
breach,
had
attempted
to pivot
into
their
internal
systems.
The defense
worked,
the
attacker
was
repelled,
but
the fundamental
trust
was
broken
the very tool
Cloudflare
used to
protect
its
systems
had been
weaponized
against
them by
the
vendor
responsible
for that
tool.
This
chain of
events
exposed
the true
calculus
of third
party
risk
in the
modern
era.
The
vulnerability
of a
critical
vendor
is not
just
their
problem
is a
shared
liability.
In the
final,
sobering
revelation
of
December
2023,
Okta
confirmed
that 134
customer
organizations
were
directly
affected
by the
session
token
theft,
but
the scope
was wider
still.
The attackers
had also
downloaded
a report
containing
the names
and email
addresses
of all
Okta
customers
who had
interacted
with
support,
a master
list for
social
engineering
and
phishing
attacks.
The breach
was not
just a
technical
failure,
it was a failure
of
transparency
and
timeliness.
It
compounded
prior
security
incidents,
the
Lapsus$
compromise
and
source
code
theft
to create
an
identity
crisis
not
just for
the technology
but
for the industry's
reliance
on it.
Security
is built
on
defense
in depth.
But
what happens
when the
deepest
layer of
the
defense,
the single
sign on
provider,
is
compromised
through
its
softest,
most
human
centric
perimeter?
The great
identity
crisis of
the digital
age is
now in
full
swing.
The assumption
of an
impenetrable
perimeter
has
dissolved.
The keys
that were
meant to
be
guarded
by one
were
instead
used by
the
attacker
to
knock on
the doors
of many.
The question
for
every CISO
is
no longer
if
this vulnerability
exists,
but
where else
is it
hiding
in their
own
vendor
ecosystem?
What are
the new
threats
that are
keeping
you up
at night
that are
causing
you to
have
the hair
on the
back of
your
neck?
Stand
the cold
sweats,
the worry,
the anxiety?
What is it
that you
see
coming?
That is
the thing
that we
should
all be
worried
about.
So
I think
that the
AI era
has just
begun
and it's
going
to
to make
a
revolution,
in the
near
future,
I think
that
in a year
or two
things
will
definitely
look
different
than how
it looks
today,
from,
defensive
and
offensive
point
of view.
So from
an offensive
point
of view, I think
the attacker
will be
much more
sophisticated,
much
more,
you know,
capable
of doing,
a lot
of stuff,
by this
AI tools.
So
automating
the operation
not
even need
to, to
to
have the
human in
the loop.
When
attacking an
organization,
everything
will be
automatic.
Everything
will be
done by
machines.
And,
from
this,
protection
side
from the
defensive,
point of view,
I think
that we,
we should
definitely
leverage
the power
of AI,
again
to,
to detect
and
analyze
threats.
It can
multiply,
our
Analyst.
force
For
example,
so, help
solve a
lot of
different
problems
like
alert,
fatigue,
etc..
Because
now you
have,
a
virtual,
analyst
with
almost
unlimited,
compute
power
that can
detect
a lot
of stuff
in, in,
like all
this,
the false
positive
alerts
can
actually
find you
this one
alert
that make
a difference
and, and,
help you
focus on
what's
matters
and not
just on,
you know,
simple
or all
stuff
that
the the,
actually
false
positive.
So this
...
detection
and
undetected
activity,
the low
and slow
way of
doing
stuff
in your
network,
in your
internal,
systems,
without
you
knowing
about
I think,
this is
something
that,
it
keeps
me up
at night.
And
this is,
where
all of us
should
make sure
that,
we are
safe
enough.
And and,
you know,
if you
if you
look
at it
also
from,
an IO
point of
view,
then you
need to
always
think
about
what
happened,
left
of
the boom
and
right of the boom.
So
the boom
is the
security
incident
left of
the boom
is
everything
you're
doing
in order
to
prevent
it.
And then
once,
once
the boom
happened,
what are you
going
to do?
Right
of the booms...
So
how are you going
to react to it?
How are you
going to
recover
from it?
What...
What is
your
PR
strategy?
Do
you have
an incident
response
retainer in
place?
Do you have
the right
policies
and
playbooks
to
react to
different
scenarios?
So
I think
that's
also
something
you need
to make
sure that
you have.
Excellent.
Oren,
thank you
so much
for
joining
us today.
I had a
great
conversation,
learned
a ton,
and look
forward
to having
you back
again.
Sure
thank you
very
much.
It was fun
and
I really
looking
forward
to listen
to your,
new episode.
Thank you
very much.
And
now our
final
chapter,
the
fallout
from Okta
leaves
a cold
shadow
over
the entire
security
world
is the
perfect
chilling
allegory
for
the age
of
identity.
This was
not
a flaw
in
cryptography.
Was
that a
weakness
in the
algorithm?
It was a failure
in the
most
basic
human
element
of trust.
The assumption
that a
file
uploaded
for help
is not
a live.
Security
risk in
that a
corporate
laptop
has a
secure,
impenetrable
boundary
against
the
user's
personal
life.
The sophisticated
attack,
the
elegant
use of
a session
token
to bypass
MFA is
only half
the story.
The other
half is
the two
week
silence
and the
slow,
reluctant
disclosure
that
followed
this
incident
has
forced
a
critical,
painful
reevaluation.
Are we
securing
the perimeter
or are
we just
securing
our faith
in
the vendor
who
promises
the
perimeter
is
secure?
The keys
to the
kingdom
were
compromised,
and the
ultimate
line of
defense
proved
to be
not the
vendor's
own
security
team,
but
the vigilance
of
its most
capable
customers.
And so
the question
remains
when
the gatekeeper
is
breached,
who becomes
the
guardian?
Is the
greatest
vulnerability
the threat
actor
or the
implicit,
unshakable
faith
in the
third
party
whose core
business
is to
sell you
an assurance
they can
no longer
guarantee.
And so
today's
security
experts
must
always be
prepared,
always
vigilant,
and
always
listening
for
The CISO Signal
The CISO Signal
All
episodes
are based
on
publicly
available
reports,
post-mortems
and
expert
analysis.
While
we've
done
our best
to ensure
accuracy,
some
cyber
security
incidents
evolve
over time
and
not all
details
have been
confirmed.
Our
goal is
to inform
and
entertain,
not to
assign
blame.
Where
facts are
unclear,
we've
used
cautionary
language
and
we always
welcome
your
corrections.
Thanks
for
listening
to
The CISO Signal
The CISO Signal
