News broke today that Identity Provider Okta had its source code stolen following the breach of its repositories in GitHub.
At this point, details are still emerging, so information pertaining to who was behind the attack, how the breach was achieved, and the extent of the exposure are not yet known.
Based on early reporting, it would appear that the attackers copied Okta’s source code but have not gained access to customer data.
However, if recent history is any indication, Okta and GitHub were likely targeted as links to reach other victims further down the chain.
Continued Targeting the Identity Element of the Supply Chain for Privileged Access
This attack is the latest in a series of incidents targeting Okta. As one of the leading Identity Providers (IdPs), Okta is a prime target for exploitation by malicious actors seeking to compromise organizations using Okta that depend on them for managing their identity and access to their applications and services.
Earlier this year in March, Okta released that they had been breached by the Lapsus$ group, who compromised the laptop of an Okta contractor. This attack, which reportedly lasted only a short while, granted the attackers high level user privileges within Okta customers’ applications and services.
We have seen similar exploitation of Identity and Access Management (IAM) systems like in the Uber breach where the attackers found hardcoded credentials for Uber’s Privileged Access Management (PAM) service, and of course the SolarWinds breach that gave hackers access to a who’s who list of victims, including sensitive U.S. government organizations.
Interestingly, this incident follows GitHub’s recent announcement that they’re going to require MFA to access repositories, recognizing that there is an increased risk facing repos in these kinds of attacks.
Why Identity and Access Management is Under Attack
They say the reason that bank robbers rob banks is because that’s where the money is.
Similarly, hackers target IAM infrastructure because identities are the keys to accessing an organization’s applications, services, and data. This has become increasingly relevant in the massive transition to the cloud, with significant reliance on AWS, GitHub, Azure, Salesforce, and dozens of other cloud services that are critical to running a business.
This latest attack highlights the particular threat that spans across the software development pipeline, impacting multiple environments like the Software as a Service (SaaS) GitHub and Okta IAM infrastructure, possibly including a cloud service provider like AWS as well.
IAM infrastructure like Okta can offer up the keys to the kingdom if it is compromised.
With the right access in an IAM service, an actor can change privileges and policies to grant them potentially unfettered access across all environments that it is managing.
For this reason, not only is IAM not a security tool, but it is itself in need of protection just as any other business critical infrastructure like endpoints, network, or cloud would need.
Securing Your IAM Infrastructure and Cloud Environments with Identity Threat Detection and Response
Mitigating your risks and threats to your organization from identity and access-based attacks requires a multi-pronged approach that enables you to:
- Harden your Identity Security Posture with Just Enough Access Everywhere
- Detect Active Threats Across Clouds (IaaS & SaaS) and IAM Infrastructure
- Respond Effectively and In-line with Security Operations
- Accelerate Investigation and Prioritize By Context
Authomize’s Identity Threat Detection and Response (ITDR) platform gives security teams the tools they need to achieve Least Privilege, as well as detect and respond to threats quickly and efficiently.
Using the Authomize ITDR platform, you can:
Narrow and Harden Your Threat Surface
- Reduce access with a usage-based approach that lets you revoke over privileges and stale accounts, mitigating the risk of an account takeover or misuse
- Ensure that you have policies in place for MFA on your repositories, detecting admins who do not have MFA enabled
- Identify privilege escalation paths like role chaining and shadow admins
- Detect and fix misconfigurations in your IAM infrastructure that can allow extraction of plaintext passwords or other manipulations by spoke admins that can impact other spokes or the hub
Monitor for Malicious Activity
- This means having visibility across the development pipeline, including your
- GitHub repositories
- Cloud infrastructure like AWS, Azure, and GCP,
- IAM infrastructure (Idps like Okta, Ping, Azure AD, and PAM like Delinea)
- Look for changes in access privileges like:
- The creation of new admins
- Changes in policies to escalate privileges
- Changing of logs in a user impersonation attack
Respond with your Security Operations Playbook
- Send contextual alerts containing granular information pertaining to identity and access incidents to your SIEM, SOAR, and other SecOps tools
- Utilize automated existing workflows from your security response playbooks, streamlining the remediation process
- Investigate incidents faster, using the platform to quickly understand who has access to what, and what was done with that access
Identity at the Center of Security
Moving into the new year, we expect malicious actors to continue their focus on IAM infrastructure, as well as the identity and access elements across all environments, as their target of choice for the straightforward reason that gaining access identity and access infrastructure will grant them more and more access.
Okta and other IAM infrastructure services play a critical role in helping us to manage access to our environments, making it essential that we provide them the necessary layer of security to keep them secure.
To learn more about Authomize’s ITDR platform and how we can enable you to mitigate your risk from a breach or identity-based attack, contact us for a Free Assessment of your development pipeline and IAM infrastructure.
