A security breach reported by Okta in October of 2023 involved the theft of HAR files from its customer support system. Subsequently, attackers set their sights on Okta's customer base, aiming to compromise identity instances and associated applications. What were the techniques used by attackers in the Okta HAR breach and how can organizations detect session hijacking before it exposes data?
Overview of a HAR File
HAR, short for HTTP archive format, is used for tracking information between a web browser and a website. A HAR file keeps track of each resource loaded by the browser along with timing information for each resource.
These files, used for support session browser recordings, can include session cookies and tokens. In the instance of the recent Okta breach, the HAR file chronicled all traffic between the browser and Okta servers, encompassing sensitive session information such as session tokens and authentication cookies.
Hacking Techniques Used in the Okta HAR Breach
Attackers are leveraging the stolen HAR files to conduct session hijacks of Okta customers, exploiting session tokens that may not have been properly sanitized. This allows attackers to hijack authenticated support sessions within Okta.
Additionally, many support personnel have elevated or administrative permissions, enabling the creation and modification of policies and policy rules within the Okta environment. The attack pattern often follows the following steps shown in the SaaS Matrix from the MITRE ATT&CK framework
- The attacker used a session from one of the stolen HAR files to enter a customer's Okta tenant through the console or API and gain unauthorized access.
- The attacker was able to maintain access to the files by activating an inactive user account and or by creating a new one.
- The attacker modified Multi-Factor Authentication (MFA) settings to add their own controlled tokens.They were able to maintain persistent access to the compromised accounts.
- Subsequently, the attacker disabled MFA on other IT and security-related accounts. They were able to subvert security policies and preserve the life of the compromised credentials.
How SaaS Security (SSPM) Can Help
In the wake of the Okta HAR breach and the subsequent wave of attacks, an enterprise SSPM platform plays a crucial role in securing your Okta environment. Here's how SSPM solutions can assist:
- Continuous Monitoring - SSPM solutions proactively secure and continuously monitor your Okta instance's attack surface and security configurations.
- Threat Detection - SSPM can alert you to specific threat events and anomalous activities within your Okta instance. This ensures that you are notified promptly in the event of any suspicious behavior.
- Prioritized Alerts - Considering the tactics used by attackers in the Okta breach, here's a partial list of alerts and monitoring that a SSPM solution can provide out of the box to prevent takeovers of your Okta environment.
The Okta HAR breach serves as a stark reminder of the constant threat to SaaS applications. In this ever-evolving landscape, SSPM solutions are vital for proactively securing your Okta environment, detecting suspicious activities, and preventing unauthorized access and data breaches. Monitoring and alerting capabilities provided by SSPM enable organizations to protect their identities and data against emerging threats.