World’s leading authentication services provider Okta and Microsoft reported (https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/ https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ ) of a breach by the ransomware group LAPSUS$. This revelation came after a massive dump of data posted by the ransomware group dev-0537 aka LAPSUS$ including the screenshots and source code of what they claimed to be internal projects of Microsoft. Leaked data of close to 37 Gb shows potential repositories of Microsoft's Bing, Bing Maps, and Cortana, with the images possibly highlighting Okta's Atlassian suite and in-house Slack channels. Okta reported that a small percentage (2.5%) of its customers have potentially been impacted and whose data may have been viewed or acted upon. This constitutes about 400 enterprises and potentially many more
This is the same group (LAPSUS$) that has racked up a long list of high-profile victims, including Impresa, Nvidia, Samsung, Ubisoft, and others in recent times.
Modus Operandi
Okta’s Chief Security Officer announced that the hackers compromised Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel, a company subcontracted to provide customer service functions for Okta. Using an RDP (Remote Desktop Protocol), the hackers were able to input commands into the compromised machine and view the monitor output, enabling them to take screenshots.
The objective of the threat actors was to “gain elevated access through stolen credentials that enable data theft and destructive attacks” against a targeted organization, often resulting in extortion. The modus operandi of the rogue actors indicate theft and destruction
Change in tactics?
Unlike the traditional modus operandi of ransomware groups that follow a cookie-cutter approach of stealing data and encrypting it to demand ransom payments from the victim organizations, the ransomware group LAPSUS$ seems to have changed their TTPs(Tactics,Techniques & Procedures), focusing on leveraging the data theft and exposing it in the public domain to blackmail the targets.
LAPSUS$ claimed that “for a service that powers authentication systems to many of the largest corporations, the security measures were pretty poor”. This gets compounded by the fact that many of Okta’s customers provide services to the US federal government and other administrations across the world
What is confusing customers who subscribe to Okta’s services is that there are no further details on the specific failures that may have occurred within the Okta software system, I’m sure there will be a lot more gory details to emerge in the coming days on the indicators of compromise that were in play.
This incident puts a spotlight on the extent of damage that is possible in such cases. We still do not know the magnitude of the SolarWind's attack or worse, we may never know the full story.
Staring at the tip of the iceberg
All breaches start with a compromised identity or privilege which is made amply clear by research reports including the Verizon Data breach Investigations Report (DBIR)
The typical Identity and Access Management systems manage users' lifecycles within the organization by onboarding, managing their privileges, and delegations based on the Role-Based Access control (RBAC) foundation. Federation and SSO solutions further enable organizations to provide seamless access to users to transact activities across several applications and perimeters. Here-in lies the problem - security teams don't realize that there is a huge baggage that follows if they do not watch out for what privileges are federated to each environment, with what levels of access & for how long; Most importantly comprehend the entire INTENT behind it.
Identity systems can only control the organizations’ perimeter only so far, with more non-human access requests becoming mainstream, the current identity systems face a design challenge in governing the privileges of multiple personas across distributed systems spread across multiple tiers of applications, networks, and infrastructure. Stopping privilege abuse in its tracks, in real-time before the threat actor gains entry, is an arduous task
Current industry solutions do not have a solution in place to gate the Right-of-Usage (RoS) preemptively as the activity request is processed. The reasons are many, the critical one being the lack of a single source of the ledger that accounts for all the privileges of multiple personas of users across multiple workloads, which makes it difficult for RoS to be implemented.
RBAC based identity systems provide a label of trust for users based on their roles, which is further supported by zero trust framework based solutions, but the fact remains that despite all the identity systems and granular based security solutions being in place, the magnitude of the security breaches remains at astronomical proportions with no respite in sight. This is because trust needs to be verified at all times, at an event level, and not go by the age-old Role-based privileges.
Post-breach recommendations are much too late
The standard recommendations that follow any breach adopt the rinse-repeat the approach of credential rotation including the API keys, passwords, secrets, etc, and looking at the logs for any anomalous activity indicating compromise.
The key to the investigation will be identifying the indicators of compromise that stem from any privilege abuse through excess permissions. Threat actors typically set up launchpads out of the breached identities to set up persistent privileges. Given the current chaos in managing the constantly expanding identity and privilege inventory, this requires manually digging into troves of logs to unearth these attributes. While this post-mortem activity is important, it's a stark reminder to those customers that the train has left the station.
Reimagining the Right-of-Use Access Governance
If it takes 2 months for a market leader like Okta to make an official statement, it points to the challenges of detecting identity and privilege compromises right after the incident. Identification of compromise takes weeks, months, or even years in some cases as reported by Verizon’s DBIR report.
There will be more fallout of the Okta breach and more organizations may come out as victims. It's time for the industry to reimagine the way access governance is handled. Any perpetual policies, however short or long they may be, combined with the traditional RBAC policies will end up becoming hunting grounds for more threat actors.
Unless we step back & acknowledge that we may have been looking at the problem in the wrong way, Solar Winds, Log4J, Capital One, Colonial pipeline, and now the Okta breach will pale in comparison to what may be coming next.
We at Inside-Out Defense (an early stage Silicon Valley based startup) have currently on-boarded a handful of enterprise companies on our Privilege Governance platform.